Improper Handling of Values in utmsigep/member-directory
May 15th 2021
Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes.
🕵️♂️ Proof of Concept
- Select a member-status/group - Create New Member
- Enter an invalid value into the
Local Identifierfield, eg. an XSS payload such as
<img src=x onerror="alert('L ID')" />
- Hit Save. The page crashes with a 500: Internal Server Error.
- Hit the back button and correct the error - enter an integer into the
Local Identifierfield and hit save.
- Navigate to other pages in the application, for example the
Recent Changespage. The page immediately crashes with a stack trace and an error
An exception has been thrown during the rendering of a template ("Parameter "localIdentifier" for route "member_show" must match "[^/]++" ("<img src=x onerror="alert('L ID')" />" given) to generate a corresponding URL.").
- The error contains the payload that caused the first crash. This value should not make it into the database.
The application state for broken pages is not recoverable unless changes are made to the database directly. This causes denial of service/lockout on certain features across the application and potential unintended behaviour in the flows that do still work.