Incorrect Implementation of Authentication Algorithm in cortezaproject/corteza-server

Valid

Reported on

Nov 10th 2021


Description

Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

#Reproduction steps:

  1. Create an account by using any mail (I used temp mail) 

  2. Login

  3. Change password

  4. Set New password = Boundless Characters/Special characters/Numbers

  5. Done

Vulnerable Area

https://latest.cortezaproject.org/auth/change-password

Impact

Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. 6 months ago
We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 6 months ago
We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 6 months ago
Kiran PP
6 months ago

Researcher


Any updates? :)

Kiran PP
6 months ago

Researcher


@admin

Have to wait for more?

Jamie Slome
6 months ago

Admin


@7h3h4ckv157 - our system will continue to lightly ping the maintainers to make sure they don't miss your report 👌

Kiran PP
6 months ago

Researcher


https://password-dos.herokuapp.com/

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 6 months ago
Tomaž Jerman validated this vulnerability 4 months ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kiran PP
4 months ago

Researcher


Is it conceivable for assigning a CVE? I'm not sure within the case, fair inquiring ...!

Jamie Slome
4 months ago

Admin


We do not assign CVEs to this type of weakness / CWE unfortunately - thanks for the question 👋

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. 3 months ago
Denis Arh confirmed that a fix has been merged on 72c93c 3 months ago
The fix bounty has been dropped
to join this conversation