Open Source Social Network Resource Exhaustion Vulnerability Leading to Denial-of-Service

A resource exhaustion vulnerability has been identified in Open Source Social Network (OSSN) versions prior to 9.0. This issue allows an attacker to upload a malicious image with extreme pixel dimensions, such as 10000 by 10000 pixels. Although the compressed file size may be small, the server allocates significant memory and CPU resources to decompress and resize the image. This processing can overwhelm server resources, causing a denial-of-service condition. The vulnerability arises in the image handling component, where the system processes uploaded images for thumbnail generation or resizing. By manipulating image headers to claim large dimensions, an attacker can disrupt normal server operations, especially if the attack is repeated.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the web server to crash or hang, and exhausts available server resources, making the platform unavailable to legitimate users.

Reproduction

To reproduce this vulnerability, upload an image file with exaggerated pixel dimensions, such as 10000 by 10000 pixels, through a feature that allows image uploads, such as a profile picture or post attachment. The server will attempt to process the image, leading to increased memory and CPU usage. If the image processing exceeds the server's resource limits, it can cause the web worker to crash or hang, disrupting service.

Remediation

Users are advised to upgrade to OSSN version 9.0 or later, which includes improved validation of image dimensions and better resource management during processing. For those unable to upgrade immediately, it is recommended to adjust `php.ini` settings to limit `memory_limit` and `max_execution_time`, and to implement checks on image headers to reject files with excessive pixel dimensions before processing.