Veris: Internal server error 500 at

ID H1:157986
Type hackerone
Reporter ak1t4
Modified 2016-08-13T06:39:00



i have discovered an internal server error (500) at in sentry app & possible DoS injection with data garbage



1)After Sending this request Sentry is crash with an internal server error showing version of sentry and the capability of sending the issue with a form:

2) The issue form permit send multiple reports without any validation and 200 code reply like this request:


POST /api/embed/error-page/?eventId=40df85725d9745f4b01148e7deab5858& HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Referer: Content-Length: 48 Cookie: _ga=GA1.2.102943685.1470375862; __utma=82828177.102943685.1470375862.1470375862.1470447007.2; __utmz=82828177.1470375862.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sentrysid="gAJ9cQEoWAoAAAB0ZXN0Y29va2llWAYAAAB3b3JrZWRxAlUFX25leHRYGQAAAC9hcGkvZW1iZWQvZXJyb3ItcGFnZS9pbi91Lg:1bWbwu:4ElVwbfFwj-m5qT7IQA5bqTFDNk"; csrf=QtgwRAMxUpMON9GE4JWHuSRyONQBsIqs Connection: close


and response:

HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: Tue, 09 Aug 2016 21:34:33 GMT Content-Type: application/json Content-Length: 0 Connection: close Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With Content-Language: es Access-Control-Max-Age: 1000 Vary: Accept-Language, Cookie Access-Control-Allow-Origin: Access-Control-Allow-Methods: GET, POST, OPTIONS Strict-Transport-Security: max-age=31536000


3) The POST method can change it for DELETE method, and the server responses with source code of sentry page form (see screenshots)


An attacker can use this information for information gathering and possible exploit of sentry app An attacker can use the post form (without user validation or captcha or limit report) and send multiple reports with garbage data for possible DoS in server resources (cpu, me, disk, etc)


Change permissions over sentry app log report and close for unauthorized access

Let me know if more info needed

Best Regards