The grav application allows large characters to insert in the input field "Full Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in getgrav/grav
Reported on
Mar 15th 2022
Proof of Concept:
- Go to
http://site/admin/accounts/users/testuser - There will a
Full nameinput field - Add more than 1 lakhs+ characters to the Full name field
- You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
POC Image:
https://ibb.co/v3zzkKY
Download the payload from here:
https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk
Patch recommendation:
The Full Name input should be limited to 100 characters or max 500characters.
Care to expand on how this exactly can lead to DoS ? For Grav, being a file-system CMS with no DB, it doesn't really matter if you use 1 character or 1 million. The worst that can happen is your browser will prevent from submitting if it exceeds its limitations, but it doesn't look like it's affecting Grav in any way with your payload.
I tested it, it saved as quickly as it would have with a regular full name. What am I missing?
If anything, I agree this should be limited and I would appreciate a GitHub issue report about it, I just don't think this is a vulnerability.
Please let us know!
I also tried to replicate this and the page loads just fine.
in this case i just used l lakh characters only i add more care 50 lakh or 2 core based on the server capacity, the server maybe hanged and crashed
if still have any doubt, refer my previous report(like same this one) https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e/
To patch this bug, simply add a max limit to that full name input field
In this case i just used l lakh characters only for the demo purpose, if add more characters like 50 lakh or 1 core+/ based on the server capacity, the server maybe hanged and crashed***
Prove it. I made a user with 4 million characters in fullname, and it still loads.
I agree that we should limit the maximum allowed number of characters, but I cannot see how this is a security issue.
Here is POC i recorded on my phone, my Lap was hanging at worst that i cant even record the sreen
https://drive.google.com/file/d/12kbgPcvXHb5BvwuuxQLD-e4ZS5jQ-_4F/view?usp=drivesdk
If you still refused to assign a CVE no problem sir, Atleast you can patch the bug,by a input max limit, and i d'ont need any bounty regarding this issue, thanks😀
I agree that it is a bug and It has already been fixed: https://github.com/getgrav/grav/commit/3e7f67f589267e61f823d19824f3ee1b9a8a38ff
The reason why I don't agree that this is a security vulnerability is that while your phone may run out of memory on some pages, the site doesn't stop working. Also there have been a lot of other bugs that have caused the whole site to stop working (fatal errors etc) with some specific inputs, and they are not considered vulnerabilities either.
@mahagr - we caught the bug here - looks like the fix was not properly attributed to you. We have fixed this up 👍
It looks like it was caused by accessing reports with both the magic link whilst also logged in with your GitHub account, causing a bit of confusion on our backend.
We have improved logging for this type of issue, and so will look to address this if it happens again. Have a great day and great work on this report all! 😀