pkgs.alpinelinux.org - Denial of Service vulnerability
pkgs.alpinelinux.org is vulnerable to a denial of service vulnerability.
Simply sending an HTTP GET to the following URL will cause nginx to return a 502 error for between 5-15 seconds:
<code class="text">
https://pkgs.alpinelinux.org/packages?name=aabb%u003c&branch=edge
</code>
This suggests that this query kills the application server sitting
behind nginx and results in a lack of availability until the backend
server automatically restarts.
An attacker could exploit this vulnerability to deny availability of the
pkgs.aplinelinux.org web server.
While I have not tested this extensively, it appears that any URL encoded unicode character sent as a part of the package search query results in this behavior.
I can’t seem to find a way to restrict this bug report or mark it as sensitive, perhaps someone could assist with that if possible?
Cheers
-eriner
(from redmine: issue id 9592, created on 2018-10-28, closed on 2018-12-28)