We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber

Valid

Reported on

Mar 12th 2022

Proof of Concept

  1. Go to add post http://site.com/admin/post/create
  2. click on create new post
  3. There will a option called post title
  4. Fill the input field with huge characters, (more than 1 lakh)
  5. Copy the below payload and put it in the input fields and click on continue.
  6. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk

Video & Image POC:

https://drive.google.com/drive/folders/1-L7kp5bmCuxBIEIxaUPu_lmKSOPpSdMU

Patch recemmondation:

  1. The post title input should be limited to 500 characters or max 1000 characters.
We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Akshay Ravi modified the report
2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Bozhidar Slaveykov validated this vulnerability 2 years ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit f7acbd 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation