Outray Subdomain Limit Bypass Vulnerability in Web Application
Vulnerability
A race condition vulnerability has been identified in the Outray open-source ngrok alternative, specifically in versions prior to 0.1.5. This vulnerability allows free plan users to exceed their allotted subdomain limits. The issue arises from the absence of database transaction locks in the subdomain management route, enabling users to exploit the timing between database read and write operations. By sending parallel requests, an attacker can manipulate the system into granting additional subdomains beyond what is permitted by their subscription plan.
Impact
Exploitation of this vulnerability allows users to gain an unlimited number of subdomains, bypassing subscription restrictions.
Reproduction
The vulnerability can be reproduced by sending multiple parallel requests to the subdomain creation endpoint with different subdomain names. This can be done using a tool like Burp Suite to intercept and modify the requests, taking advantage of the race condition between checking subdomain availability and inserting new subdomains into the database.
Remediation
Users are advised to update to Outray version 0.1.5, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.