gwtupload icon indicating copy to clipboard operation
gwtupload copied to clipboard

Published 20 hours ago verified publisher icon manolo

Upload delay resulting in DoS

Open mmmds opened this issue 5 years ago • 3 comments

There is a vulnerability which allows to perform DoS attack against the application server. The problem lies in handling delay parameter when upload is initiated (gwtupload.server.UploadServlet#parsePostRequest). Value from this parameter is used as an argument for Thread.sleep invocation. Malicious user can specify even max integer value 2147483647, which would cause a thread to sleep for almost 25 days (gwtupload.server.AbstractUploadListener#update). Additionally, the value from delay parameter is assigned the field which in case of servlets behaves as a global variable. It means every further request will use this value and also will be put to sleep. Putting a thread to sleep excludes it from a limited set of available threads, so after a suitable number of upload requests (Tomcat by default has limit of 200 threads) the whole application will become unresponsive and will not accept any new requests.

https://github.com/manolo/gwtupload/blob/master/core/src/main/java/gwtupload/server/UploadServlet.java

protected String parsePostRequest(HttpServletRequest request, HttpServletResponse response) {

    try {
      String delay = request.getParameter(PARAM_DELAY);
      String maxFilesize = request.getParameter(PARAM_MAX_FILE_SIZE);
      maxSize = maxFilesize != null && maxFilesize.matches("[0-9]*") ? Long.parseLong(maxFilesize) : maxSize;
      uploadDelay = Integer.parseInt(delay);
    } catch (Exception e) { }
[...]
  protected AbstractUploadListener createNewListener(HttpServletRequest request) {
    int delay = request.getParameter("nodelay") != null ? 0 : uploadDelay;
    if (isAppEngine()) {
      return new MemoryUploadListener(delay, getContentLength(request));
    } else {
      return new UploadListener(delay, getContentLength(request));
    }
  }

https://github.com/manolo/gwtupload/blob/master/core/src/main/java/gwtupload/server/AbstractUploadListener.java

    // Just a way to slow down the upload process and see the progress bar in fast networks.
    if (slowUploads > 0 && done < total) {
      try {
        Thread.sleep(slowUploads);
      } catch (Exception e) {
        exception = new RuntimeException(e);
      }

The same way the servlet accepts maxFileSize parameter, but its abuse will only prevent from uploading files; the server won't suffer.

mmmds avatar Feb 17 '20 21:02 mmmds

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13128

mmmds avatar Jun 07 '20 19:06 mmmds

‎‍🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/gwtupload/pull/1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

huntr-helper avatar Jun 19 '20 15:06 huntr-helper

Fix merged, can be closed

csware avatar Feb 14 '21 16:02 csware