PHP :: Bug #81523 :: The search bar in your site no contains atributte "maxlenght"

Bug #81523	The search bar in your site no contains atributte "maxlenght"
Submitted:	2021-10-13 17:06 UTC	Modified:	2023-05-24 06:56 UTC
From:	neibase123 at gmail dot com	Assigned:
Status:	Open	Package:	Website problem
PHP Version:	Irrelevant	OS:	irrelevante
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	neibase123 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-10-13 17:06 UTC] neibase123 at gmail dot com

Description:
------------
Your site's search bar doesn't contain the "maxlength" html attribute, I enter an absurd amount of characters, if your server doesn't filter these characters, they can cause a Denial Of Service attack 

Test script:
---------------
#this script works on any page on the site that contains the search bar.
# please in console navigator paste lines one for one 
# tested in https://www.php.net/



document.getElementsByName("pattern")[0].value = "A".repeat(10000000)

document.getElementsByName("pattern")[0].value;

Expected result:
----------------
Demonstrate how it can set a huge value in the search bar, if the attacker enters and your server doesn't filter these characters, they can cause a DOS attack

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-10-14 00:30 UTC] stas@php.net

-Package: *Web Server problem +Package: Website problem

[2021-10-14 10:06 UTC] cmb@php.net

-Private report: No +Private report: Yes

[2021-10-14 10:06 UTC] cmb@php.net

The missing maxlength attribute is certainly not a security issue,
since a client can ignore that.  Not restricting the length
server-side, however, might be an issue in this case.

[2023-05-24 06:56 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC