The grav application allows large characters to insert in the input field "Full Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in getgrav/grav

Valid

Reported on

Mar 15th 2022


Proof of Concept:

  1. Go to http://site/admin/accounts/users/testuser
  2. There will a Full name input field
  3. Add more than 1 lakhs+ characters to the Full name field
  4. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

POC Image:

https://ibb.co/v3zzkKY

Download the payload from here:

https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk

Patch recommendation:

The Full Name input should be limited to 100 characters or max 500characters.

We are processing your report and will contact the getgrav/grav team within 24 hours. 2 months ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 2 months ago
Djamil Legato
2 months ago

Maintainer


Care to expand on how this exactly can lead to DoS ? For Grav, being a file-system CMS with no DB, it doesn't really matter if you use 1 character or 1 million. The worst that can happen is your browser will prevent from submitting if it exceeds its limitations, but it doesn't look like it's affecting Grav in any way with your payload.

I tested it, it saved as quickly as it would have with a regular full name. What am I missing?

If anything, I agree this should be limited and I would appreciate a GitHub issue report about it, I just don't think this is a vulnerability.

Please let us know!

Matias Griese
2 months ago

Maintainer


I also tried to replicate this and the page loads just fine.

Akshay Ravi
2 months ago

Researcher


in this case i just used l lakh characters only i add more care 50 lakh or 2 core based on the server capacity, the server maybe hanged and crashed

Akshay Ravi
2 months ago

Researcher


if still have any doubt, refer my previous report(like same this one) https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e/

To patch this bug, simply add a max limit to that full name input field

Akshay Ravi
2 months ago

Researcher


In this case i just used l lakh characters only for the demo purpose, if add more characters like 50 lakh or 1 core+/ based on the server capacity, the server maybe hanged and crashed***

Matias Griese
2 months ago

Maintainer


Prove it. I made a user with 4 million characters in fullname, and it still loads.

I agree that we should limit the maximum allowed number of characters, but I cannot see how this is a security issue.

Akshay Ravi
2 months ago

Researcher


Here is POC i recorded on my phone, my Lap was hanging at worst that i cant even record the sreen

https://drive.google.com/file/d/12kbgPcvXHb5BvwuuxQLD-e4ZS5jQ-_4F/view?usp=drivesdk

If you still refused to assign a CVE no problem sir, Atleast you can patch the bug,by a input max limit, and i d'ont need any bounty regarding this issue, thanks­čśÇ

Matias Griese
2 months ago

Maintainer


I agree that it is a bug and It has already been fixed: https://github.com/getgrav/grav/commit/3e7f67f589267e61f823d19824f3ee1b9a8a38ff

The reason why I don't agree that this is a security vulnerability is that while your phone may run out of memory on some pages, the site doesn't stop working. Also there have been a lot of other bugs that have caused the whole site to stop working (fatal errors etc) with some specific inputs, and they are not considered vulnerabilities either.

Akshay Ravi
2 months ago

Researcher


ok, thanks for the fix

We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 months ago
A getgrav/grav maintainer modified the report
2 months ago
Djamil Legato modified the report
2 months ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 2 months ago
A getgrav/grav maintainer validated this vulnerability 2 months ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
A getgrav/grav maintainer confirmed that a fix has been merged on 3e7f67 2 months ago
Matias Griese has been awarded the fix bounty
Jamie Slome
2 months ago

Admin


@mahagr - we caught the bug here - looks like the fix was not properly attributed to you. We have fixed this up ­čĹŹ

It looks like it was caused by accessing reports with both the magic link whilst also logged in with your GitHub account, causing a bit of confusion on our backend.

We have improved logging for this type of issue, and so will look to address this if it happens again. Have a great day and great work on this report all! ­čśÇ

to join this conversation