Description

As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don’t validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or change your email, the server may cause DOS due to overload.

Proof of Concept

1. Go to https://rdiffweb-demo.ikus-soft.com/prefs/general
2. You can now change the email associated with your account from this endpoint
3. Set a very long email that exceeds 1000 characters
4. You will see that the long email is readily accepted and there is no fixed length for this user input parameter

Mitigation: The email parameter must have a specific user input length