Incorrect Implementation of Authentication Algorithm in cortezaproject/corteza-server

Valid

Reported on

Nov 10th 2021


Description

Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

#Reproduction steps:

  1. Create an account by using any mail (I used temp mail) 

  2. Login

  3. Change password

  4. Set New password = Boundless Characters/Special characters/Numbers

  5. Done

Vulnerable Area

https://latest.cortezaproject.org/auth/change-password

Impact

Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. a year ago
We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back a year ago
We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago
7h3h4ckv157
a year ago

Researcher


Any updates? :)

7h3h4ckv157
a year ago

Researcher


@admin

Have to wait for more?

Jamie Slome
a year ago

Admin


@7h3h4ckv157 - our system will continue to lightly ping the maintainers to make sure they don't miss your report 👌

7h3h4ckv157
a year ago

Researcher


https://password-dos.herokuapp.com/

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago
Tomaž Jerman validated this vulnerability a year ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
7h3h4ckv157
a year ago

Researcher


Is it conceivable for assigning a CVE? I'm not sure within the case, fair inquiring ...!

Jamie Slome
a year ago

Admin


We do not assign CVEs to this type of weakness / CWE unfortunately - thanks for the question 👋

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago
Denis Arh marked this as fixed in 2021.9.x with commit 72c93c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation