# Attack Scenario Notes

## Overview

`CVE-2026-36228` describes a remote denial-of-service vulnerability in Easy Chat Server 3.1 chat message handling. The issue is triggered by submitting an oversized `mtowho` recipient value while sending a chat message as an authenticated user.

## Affected Pattern

1. The attacker creates or uses a valid Easy Chat Server account.
2. The attacker logs into the chat application.
3. The attacker establishes a chat session.
4. The attacker submits a chat message request with a large `mtowho` value.
5. The Easy Chat Server process terminates unexpectedly while processing the request.

## Verification Payload

The submitted proof payload is approximately:

```text
mtowho=A * 40000
```

The public PoC is dry-run by default and requires `--send` before transmitting a request.

## Lab Reproduction

Dry run:

```bash
python3 poc.py 127.0.0.1 80
```

Authorized lab send:

```bash
python3 poc.py 127.0.0.1 80 --send
```

With an authenticated cookie:

```bash
python3 poc.py 127.0.0.1 80 --cookie 'SESSIONID=example' --send
```

## Impact Assessment

The primary impact is denial of service. A low-privilege authenticated remote user may be able to repeatedly crash the Easy Chat Server process over the network.

Suggested CVSS-style framing:

- High if any authenticated user can crash the service remotely and repeatedly.
- Medium if exploitation requires special chat-room state, non-default configuration, or elevated privileges.
- Low if the crash is not reliable or the service automatically recovers without meaningful user impact.

## Defensive Guidance

- Apply strict maximum length limits to `mtowho`.
- Validate `mtowho` against existing recipient usernames.
- Reject oversized POST bodies and oversized form fields.
- Add safe parsing and exception handling in chat message processing.
- Monitor and restart the service automatically after process failure.