Pixel flood attack
An image with the dimensions of 0xfafa x 0xfafa (64250x64250) is uploaded and crashes the service.
How To Perform
- Download the Payload
- Upload to target service
- Observe for performance degradation
Hackerone founder, michiel, provided some technical incite to this issue:
We identified two problems: 1) Paperclip seems to always run the identify command with the exif:orientation option enabled, while only one Paperclip feature (auto orient) needs this option. This option caused the DoS at our side. We fixed this by monkey patching the way Paperclip builds a geometry string. This is probably something that should get fixed in Paperclip too. 2) Paperclip started resizing the uploaded image even before it validated whether the image's dimensions were too large. We fixed this by instructing Paperclip to run validations before starting the resizing process.