Laravel Nova 3.7.0 – ‘range’ DoS

• Exploit Database
• 15 阅读

• 作者： iqzer0
  日期： 2020-12-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49198/

• # Exploit Title: Laravel Nova 3.7.0 - 'range' DoS
  # Date: June 22, 2020
  # Exploit Author: iqzer0
  # Vendor Homepage: https://nova.laravel.com/
  # Software Link: https://nova.laravel.com/releases
  # Version: Version v3.7.0
  # Tested on: Manjaro / Chrome v83
  
  An authenticated user can crash the application by setting a higher
  value to the 'range' (default 30) parameter and sending simultaneous
  requests (10 simultaneous requests was enough to DoS the server in my
  testing)
  
  Vulnerable URL:
  https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000
  Vulnerable Parameter: range