The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior.
The admin page is the only thing that went unresponsive.
If the logo is not changed successfully then upload any image and then upload the lottapixel.
Impact
The admin will not have access to the admin page, where the admin could not do anything which like complete DOS. This can affect the business of the organisation which is using MailCow where the organisation will be facing unavailability and face some internal issues.
Patches
Patched in Versions >= 2024-01
Workarounds
Securing your Admin Accounts, Not Uploading unknown Images as your mailcow UI Logo
References
Referencing POC: https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack
0xbunniee Reporter
The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior.
The admin page is the only thing that went unresponsive.
If the logo is not changed successfully then upload any image and then upload the lottapixel.
Impact
The admin will not have access to the admin page, where the admin could not do anything which like complete DOS. This can affect the business of the organisation which is using MailCow where the organisation will be facing unavailability and face some internal issues.
Patches
Patched in Versions >= 2024-01
Workarounds
Securing your Admin Accounts, Not Uploading unknown Images as your mailcow UI Logo
References
Referencing POC: https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack