Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 03.07.2025
Last edited by cbay - 03.07.2025

FS#188 - # No limit in email length may result in a possible DOS attack in admin.alwaysdata.com

#No limit in email length may result in a possible DOS attack in admin.alwaysdata.com

From the page: https://admin.alwaysdata.com/profile When I tried to update the email address, I noticed that the database field was allocating 255 characters there and if the input was more than 255 character that field was truncating.
For example:

haxorsistz+axorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxoailrsistzh@gmail.com

You will see that the long email is readily accepted and there is no fixed length for this user input parameter.

Mitigation: The email parameter must have a specific user input length

Impact
An attacker can store a large email address as per his requirement which will possibly lead to a DOS attack / Buffer Overflow.

Thank You,

Waleed Anwar

Closed by  cbay
03.07.2025 14:18
Reason for closing:  Invalid
03.07.2025: A request to reopen the task has been made. Reason for request: Input haxorsistz+axorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxoailrsistzh@gmail.com then submit the request it should show 500 error.
Admin
cbay commented on 03.07.2025 14:18

Hello,

You will see that the long email is readily accepted and there is no fixed length for this user input parameter.

The HTML input type does have a maxlength limit.

An attacker can store a large email address as per his requirement which will possibly lead to a DOS attack / Buffer Overflow.

That's not true.

Kind regards,
Cyril

waloodi_109 commented on 03.07.2025 14:33

Input haxorsistz+axorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxorsistzhaxoailrsistzh@gmail.com

then submit the request it should show 500 error.

Admin
cbay commented on 03.07.2025 16:18

I tried and didn't get any 500 error. Can you share a video showing it?

waloodi_109 commented on 03.07.2025 17:24

Yeah,I will share with you

Admin
cbay commented on 04.07.2025 07:10

Thanks, that was a harmless bug.

waloodi_109 commented on 04.07.2025 07:36

You Should have to fix this because attacker can inject a payload in between it.

Admin
cbay commented on 04.07.2025 07:37

Can you prove it?

waloodi_109 commented on 04.07.2025 09:52

I tried it's accepting base64 encoding payload but not reflecting, and you fixed it without giving me a bounty that's not fair Sir

Admin
cbay commented on 04.07.2025 09:55

I fixed the 500 error that you reported, but it was not a security issue.

Next time, I suggest you simply do your research before submitting the report.

waloodi_109 commented on 04.07.2025 10:00

I clearly Submitted the report that was 500 error bug that was fixed by you, "attacker can inject a payload in between it" that was my opinion only.

waloodi_109 commented on 06.07.2025 22:32

The same report which is valid for https://admin.alwaysdata.com/permissions/add/

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing