Able to create an account with long password leads to memory corruption / Integer Overflow in microweber/microweber
Mar 17th 2022
I have found that there is a way to create an account with the length of more than 10k or 100k characters where it may leads to Integer overflow and the backend memory can't handle this issue
Steps to Reproduce:
- Now we can create a simple account
- While creating an account , In the password field we can able to input more than 10k or 100k characters in length
- We can able to create 10k random string with the following Website Click Here
- Generate random 10k/100k characters and Input them in password field
- And the account will be created without any password length restriction
By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
This vulnerability was detected by sending passwords with various lengths and comparing the measured response times.