You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 characters) is supplied using the osTicket application. This can cause the website to go down or stop responding. When a long password is entered, this procedure will consume all available CPU and memory.
Affected version: osTicket (v1.17.2)
Proof of Concept:
1. Sign up to the application, capture the request in burp suite software and send it to Repeater.
2. Copy the payload from payload file [you may use your own super long password too] and paste on password parameters and click on send.
3. You'll see that the programme accepts lengthy passwords, which might cause a DoS or be used as a DDoS attack vector.
Impact:
A DDoS attack may be used to take advantage of this vulnerability, preventing legitimate users from accessing resources or apps.