DDOS attack by uploading a few hundred large files in tooljet/tooljet

Valid

Reported on

Aug 28th 2022


Description

can normal user upload the photo to the profile not allowed photo more than 2 MB i can upload photo more allowed limit

Proof of Concept

https://drive.google.com/file/d/1jh0n9kOoFvW-esHg_pOtPeURTYjSIhDm/view?usp=sharing

Impact

What happens if a bot net starts uploading 100MB files from 100 machines at the same time. This would mean that our network pipes are clogged handling 10GB of data while slowing down our real customers..... the answer the site will down and come not available

We are processing your report and will contact the tooljet team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the tooljet team and are waiting to hear back 2 years ago
We have sent a follow up to the tooljet team. We will try again in 4 days. a year ago
We have sent a second follow up to the tooljet team. We will try again in 7 days. a year ago
We have sent a third follow up to the tooljet team. We will try again in 14 days. a year ago
Navaneeth Pk validated this vulnerability a year ago
ahmed8magdy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the tooljet team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the tooljet team. We will try again in 10 days. a year ago
ahmed8magdy
a year ago

Researcher


@navaneeth-pk hi When will you fix this bug ?

We have sent a third and final fix follow up to the tooljet team. This report is now considered stale. a year ago
ahmed8magdy
a year ago

Researcher


@navaneeth-pk any update

Midhun G S marked this as fixed in v1.27.0 with commit 01cd3f a year ago
The fix bounty has been dropped
ahmed8magdy
a year ago

Researcher


@navaneeth-pk and @admin can now storge as CVE :)

ahmed8magdy
a year ago

Researcher


@gsmithun4 can now storge as CVE :)

Pavlos
a year ago

Admin


@maintainer can we assign a CVE here?

ahmed8magdy
a year ago

Researcher


@maintainer @admin @gsmithun4 can we assign a CVE here and make my report puplic

Pavlos
a year ago

Admin


Hi Ahmed! As soon the maintainer publishes your report, they will decide wether to assign a CVE for it or not. I'm sure the maintainer will soon be back, give them some time :)

ahmed8magdy
a year ago

Researcher


@gsmithun4 @navaneeth-pk any update

This vulnerability has now been published a year ago
to join this conversation