DoS due to unrestricted hashing in alextselegidis/easyappointments

Valid

Reported on

Apr 13th 2022

Description

The application accepts strings of any size as passwords and processes (hashes) the string to check in the database if the user exists, for example upon login.

Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power.

Mitigation

The app should limit the length of accepted passwords to a reasonable size (100 chars would be enough), and reject it before hashing.

This is important especially if you move password hashing to bcrypt algorithm (to achieve stronger/safer encryption), because compared to the current sha256 is slower and requires more CPU power.

Impact

An attacker would be able to DoS a system with a few resources, probably just a couple of hundreds of HTTP requests.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 years ago

We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 2 years ago

We have sent a follow up to the alextselegidis/easyappointments team. We will try again in 7 days. 2 years ago

Alex Tselegidis validated this vulnerability 2 years ago

Francesco Carlucci has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the alextselegidis/easyappointments team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the alextselegidis/easyappointments team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the alextselegidis/easyappointments team. This report is now considered stale. 2 years ago

Alex Tselegidis marked this as fixed in 1.5.0 with commit e3d367 2 years ago

Alex Tselegidis has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation