Pterodactyl Wings Activity Log Flooding Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Pterodactyl Wings, specifically in versions 1.7.0 prior to 1.12.0. The issue arises because Wings fails to account for SQLite's maximum parameter limit when handling activity log entries. This oversight allows a low-privileged user to create a situation where the panel is inundated with activity records. Once Wings processes and sends these logs to the panel, it deletes the corresponding entries from its SQLite database. However, the deletion process does not respect SQLite's max parameter limit of 32,766 variables per query. As a result, if Wings attempts to delete more than this limit in a single query, it encounters an SQL logic error and fails to remove any entries. These unremoved entries are then continuously reprocessed and resent to the panel with each cron job, gradually accumulating new activity data. Exploiting this vulnerability can cause the panel's database server to exhaust its disk space.

Impact

Exploitation of this vulnerability leads to excessive activity log data being uploaded to the panel, causing the database server to run out of disk space.

Reproduction

The vulnerability can be reproduced by generating over 32,766 activity entries, which can be done through normal use, such as transferring a large number of small files via SFTP. This activity creates numerous log entries that can trigger the vulnerability.

Remediation

Users can upgrade to Pterodactyl Wings version 1.12.0 or later, where this vulnerability has been fixed.