Headline
ebankIT 6 Denial Of Service
ebankIT versions prior to 7 suffer from a denial of service vulnerability.
CVE-2023-30455[Description]An issue was discovered in ebankIT before version 7.A Denial-of-Service attack is possible through the GET parameterEStatementsIds located on the/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint.The GET parameter accepts over 100 comma-separated e-statement IDswithout throwing an error. When this many IDs are supplied, the servertakes around 60 seconds to respond and successfully generate theexpected ZIP archive (during this time period, no other pages load). Athreat actor could issue a request to this endpoint with 100+ statementIDs every 30 seconds, potentially resulting in an overload of theserver for all users.------------------------------------------[VulnerabilityType Other]Denial of Service------------------------------------------[Vendor of Product]ebankIT------------------------------------------[Affected Product Code Base]ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7------------------------------------------[Affected Component]The endpoint existing at /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx?EStatementsIds=*id*,*id*,*id*,etc------------------------------------------[Attack Type]Remote------------------------------------------[Impact Denial of Service]true------------------------------------------[Attack Vectors]I discovered it was possible to perform a Denial-of-Service attack onthe ebankIT platform, potentially resulting in a single user renderingthe entire application inaccessible. The vulnerable endpoint exists on/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashxand the EStatementsIds GET parameter accepts over 100comma-separated e-statement IDs without throwing an error. When thismany IDs are supplied, the server takes around 60 seconds to respondand successfully generate the expected zip file (during this 60seconds, no other pages load). A threat actor could issue a request tothis endpoint with 100+ statement ID s every 30 seconds, potentiallyresulting in overloading the server for all users of the ebankITplatform. I believe this is being caused by a thread commitment issuewhere there are no dedicated threads to individual processes.------------------------------------------[Discoverer]Jake MurphyRelated news
CVE-2023-30455: ebankIT 6 Denial Of Service ≈ Packet Storm
An issue was discovered in ebankIT before 7. A Denial-of-Service attack is possible through the GET parameter EStatementsIds located on the /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint. The GET parameter accepts over 100 comma-separated e-statement IDs without throwing an error. When this many IDs are supplied, the server takes around 60 seconds to respond and successfully generate the expected ZIP archive (during this time period, no other pages load). A threat actor could issue a request to this endpoint with 100+ statement IDs every 30 seconds, potentially resulting in an overload of the server for all users.