Incorrect Implementation of Authentication Algorithm in cortezaproject/corteza-server

Valid

Reported on

Nov 10th 2021

Description

Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

#Reproduction steps:

  1. Create an account by using any mail (I used temp mail) 

  2. Login

  3. Change password

  4. Set New password = Boundless Characters/Special characters/Numbers

  5. Done

Vulnerable Area

https://latest.cortezaproject.org/auth/change-password

Impact

Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.

References

https://www.google.com/search?q=no+length+password+length+leads+to+dos+&client=firefox-b-d&sxsrf=AOaemvLHSo00k12eN0te7YZNGrtqstSpBA%3A1636573491846&ei=MyGMYY-FM6vA3LUP17Kh6AY&oq=no+length+password+length+leads+to+dos+&gs_lcp=Cgdnd3Mtd2l6EAMyBAgjECc6BwgAEEcQsANKBAhBGABQ2QNYzhFg1hRoAXACeACAAZADiAGUBpIBBTMtMS4xmAEAoAEByAEIwAEB&sclient=gws-wiz&ved=0ahUKEwjP6oStx470AhUrILcAHVdZCG0Q4dUDCA0&uact=5

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. 2 years ago

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago

We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 2 years ago

7h3h4ckv157

commented 2 years ago

Researcher

Any updates? :)

7h3h4ckv157

commented 2 years ago

Researcher

@admin

Have to wait for more?

Jamie Slome

commented 2 years ago

Admin

@7h3h4ckv157 - our system will continue to lightly ping the maintainers to make sure they don't miss your report 👌

7h3h4ckv157

commented 2 years ago

Researcher

https://password-dos.herokuapp.com/

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago

Tomaž Jerman validated this vulnerability 2 years ago

7h3h4ckv157 has been awarded the disclosure bounty

The fix bounty is now up for grabs

7h3h4ckv157

commented 2 years ago

Researcher

Is it conceivable for assigning a CVE? I'm not sure within the case, fair inquiring ...!

Jamie Slome

commented 2 years ago

Admin

We do not assign CVEs to this type of weakness / CWE unfortunately - thanks for the question 👋

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago

Denis Arh marked this as fixed in 2021.9.x with commit 72c93c 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. 2 years ago

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago

We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 2 years ago

7h3h4ckv157

commented 2 years ago

Researcher

Any updates? :)

7h3h4ckv157

commented 2 years ago

Researcher

@admin

Have to wait for more?

Jamie Slome

commented 2 years ago

Admin

@7h3h4ckv157 - our system will continue to lightly ping the maintainers to make sure they don't miss your report 👌

7h3h4ckv157

commented 2 years ago

Researcher

https://password-dos.herokuapp.com/

We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago

Tomaž Jerman validated this vulnerability 2 years ago

7h3h4ckv157 has been awarded the disclosure bounty

The fix bounty is now up for grabs

7h3h4ckv157

commented 2 years ago

Researcher

Is it conceivable for assigning a CVE? I'm not sure within the case, fair inquiring ...!

Jamie Slome

commented 2 years ago

Admin

We do not assign CVEs to this type of weakness / CWE unfortunately - thanks for the question 👋

We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago

Denis Arh marked this as fixed in 2021.9.x with commit 72c93c 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation