Part-DB Avatar Upload Vulnerability Leading to Persistent Denial-of-Service

A denial-of-service vulnerability has been identified in Part-DB, an open-source inventory management system for electronic components, in versions prior to 1.17.3. The issue allows authenticated users to upload profile pictures with deceptive file extensions, such as .jpg.txt. This results in a persistent 500 Internal Server Error when attempting to view or edit the affected user's profile, making it permanently inaccessible through the user interface for both users and administrators. The root cause lies in the application's handling of file extensions during avatar uploads, which leads to unhandled exceptions when the file is not properly recognized as an image, despite having a valid image binary.

Impact

Exploiting this vulnerability locks users out of their profile settings and disrupts administrative functions, as administrators cannot manage affected users without encountering a 500 error. The issue requires manual intervention to resolve, such as cleaning up the filesystem or patching the database.

Reproduction

To reproduce this vulnerability, log in as a user with permission to change their avatar. Navigate to the user settings page and upload a valid image file with a misleading extension, such as .jpg.txt. After submitting the form, attempt to access the user settings again or manage the user through the admin panel. Both actions will result in a 500 Internal Server Error, indicating that the profile is now inaccessible.

Remediation

Users can update to Part-DB version 1.17.3 or later, where this vulnerability has been patched.