Headline
CVE-2022-1698: Allowing long password leads to denial of service in organizr
Allowing long password leads to denial of service in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.
Description
The Organizr application allows to sending a very long password (10000000 characters) it’s possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Proof of Concept
1.Sign up to the application, capture the request in burp suites, and send it to Repeater.
2.Copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste on password parameter and send go.
3.You will see that the application allows long passwords this can leads to Dos and can exploit as DDos
Video PoC
https://drive.google.com/file/d/1V_ZoXRJGkF7XSGdXJ4yPKRtQoxeTDyFe/view?usp=sharing
Impact
This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.
Related news
Allowing long password leads to denial of service in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.