NullByte8080/CVE-2026-36228

# CVE-2026-36228: Easy Chat Server 3.1 Chat Message mtowho Denial of Service PoC This repository contains a benign-by-default proof of concept for `CVE-2026-36228`, a denial-of-service issue in Easy Chat Server 3.1 chat message handling. This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test. ## Summary Easy Chat Server 3.1 can terminate unexpectedly when processing a chat message request containing a large payload in the `mtowho` recipient field. The issue was observed after authenticating as a valid user, joining a chat session, and submitting a message request with approximately 40,000 `A` characters in `mtowho`. The public PoC is dry-run by default. It prints the generated HTTP request unless the operator explicitly passes `--send`. ## Discoverer Vaibhav D. Barkade ## Affected Product - Product: Easy Chat Server - Version: 3.1 - Component: Chat room message functionality - Endpoint: `/body2.ghp` - Parameter: `mtowho` - Attack type: Remote - Impact: Denial of Service ## Usage Preview the generated request without sending traffic: python3 poc.py 127.0.0.1 80 Send the request against an authorized lab target: python3 poc.py 127.0.0.1 80 --send If the target requires an authenticated session cookie, pass it explicitly: python3 poc.py 127.0.0.1 80 --cookie 'SESSIONID=example' --send Change the payload size: python3 poc.py 127.0.0.1 80 --payload-size 40000 --send ## Expected Result On a vulnerable lab target, submitting the oversized `mtowho` field can cause the Easy Chat Server process to terminate unexpectedly while processing the chat message request. ## Severity The direct impact is remote denial of service. Severity is typically high when an authenticated low-privilege user can repeatedly crash the service over the network. It may be lower if exploitation requires privileged access or a non-default deployment condition. ## Mitigation - Enforce strict maximum lengths for chat message parameters. - Reject oversized `mtowho` values before processing. - Validate recipient usernames against known users rather than trusting raw request values. - Add robust exception handling around chat message parsing. - Run the service under a supervisor that can restart it after a crash.