The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Valid
Reported on
Mar 12th 2022
Proof of Concept
- Go to add post
http://site.com/admin/post/create
- click on create new post
- There will a option called
post title
- Fill the input field with huge characters, (more than 1 lakh)
- Copy the below payload and put it in the input fields and click on continue.
- You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Download the payload from here:
https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk
Video & Image POC:
https://drive.google.com/drive/folders/1-L7kp5bmCuxBIEIxaUPu_lmKSOPpSdMU
Patch recemmondation:
- The post title input should be limited to 500 characters or max 1000 characters.
We are processing your report and will contact the
microweber
team within 24 hours.
2 years ago
Akshay Ravi modified the report
2 years ago
We have contacted a member of the
microweber
team and are waiting to hear back
2 years ago
to join this conversation