Is there an existing issue for this?
Current Behavior
The search suggestion endpoint (/catalogsearch/ajax/suggest/) is vulnerable to Resource Exhaustion. Because the application logs and displays historical search terms without proper length validation or result limiting, an attacker (or accumulated malicious entries) can cause the server to generate an excessively large response. Attempting to fetch suggestions for commonly "poisoned" terms like test results in a 2.3MB+ response, leading to a 503 Service Unavailable error and potential server instability.
Expected Behavior
A pagination to limit the response size will be suitable in such case
Steps To Reproduce
-
Open a browser and navigate to the https://demo.openmage.org/.
-
Intercept or directly access the following AJAX request: GET /catalogsearch/ajax/suggest/?q=test HTTP/1.1
-
Observe the response headers. Initially, the server attempts to send a response with a Content-Length of approximately 2,376,347 bytes (2.3 MB).
-
Observe that the response body is filled with thousands of
- elements containing legacy SQL injection payloads and junk data from previous search logs.
-
Repeat the request or observe the subsequent server behavior. The server eventually returns a 503 Service Unavailable error, indicating that the backend or the Gateway has crashed or timed out while processing the bloated data.
Environment
Anything else?
Issue was reported by uranium_12 on hackerone.
Report Link: https://hackerone.com/reports/3707333
Is there an existing issue for this?
Current Behavior
The search suggestion endpoint (/catalogsearch/ajax/suggest/) is vulnerable to Resource Exhaustion. Because the application logs and displays historical search terms without proper length validation or result limiting, an attacker (or accumulated malicious entries) can cause the server to generate an excessively large response. Attempting to fetch suggestions for commonly "poisoned" terms like test results in a 2.3MB+ response, leading to a 503 Service Unavailable error and potential server instability.
Expected Behavior
A pagination to limit the response size will be suitable in such case
Steps To Reproduce
Open a browser and navigate to the https://demo.openmage.org/.
Intercept or directly access the following AJAX request:
GET /catalogsearch/ajax/suggest/?q=test HTTP/1.1Observe the response headers. Initially, the server attempts to send a response with a Content-Length of approximately 2,376,347 bytes (2.3 MB).
Observe that the response body is filled with thousands of
Repeat the request or observe the subsequent server behavior. The server eventually returns a 503 Service Unavailable error, indicating that the backend or the Gateway has crashed or timed out while processing the bloated data.
Environment
Anything else?
Issue was reported by
uranium_12on hackerone.Report Link: https://hackerone.com/reports/3707333