Denial of Service via Multipart Boundary Manipulation
A Denial of Service (DOS) vulnerability was identified in version 20240628 of ChuanhuChatGPT. The issue arises when an attacker appends a large number of characters to the end of a multipart boundary during file upload, causing the system to become unresponsive. This vulnerability has not yet been patched.
Available publicly on Sep 29 2024
Threat Overview
The vulnerability allows an attacker to exploit the file upload functionality by adding an excessive number of characters to the end of a multipart boundary. This causes the system to continuously process each character, leading to resource exhaustion and making the service unavailable. The attack can be easily executed using tools like BurpSuite to intercept and modify the upload request. The impact is significant as it can render the service inaccessible for extended periods, disrupting operations and causing potential data inaccessibility.
Attack Scenario
An attacker intercepts a file upload request to ChuanhuChatGPT using a tool like BurpSuite. They then append a large number of characters to the end of the multipart boundary in the request. When the modified request is sent, the server begins processing each character, leading to resource exhaustion and making ChuanhuChatGPT unavailable for hours.
Who is affected
Users and administrators of ChuanhuChatGPT version 20240628 are affected by this vulnerability. Any service relying on ChuanhuChatGPT for operations could experience significant disruptions.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.