Not a bug Vulnerability Type: No Password Length Restriction leads to Denial of Service

[MattW]

Affected version

2.1.12

Reporting it, so at least it's been asked

Just been CC'd onto this mail reporting a Vulnerability within XF

Vulnerability Type:  No Password Length Restriction leads to Denial of Service

Description:

I am able to create a password with 1000000 words which fully leads to MySQL or server side Denial Of Service attack. Also this issue can dump your database.

You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for Denial Of Service attack.

Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. in my sql but in your website there are no limitation.

Proof of concept :

The password which I tried was:
Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@ SNIPPED FOR LIMIT  4567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@Lala1234567@
Sincerely,
Usman

Not sure if this is to be taken seriously or not??

 

[Mike]

In future, it's probably worth bringing vulnerability questions to us privately, though I can tackle this one directly because it's generally bogus. It's also essentially a form message by a researcher. We've had that exact message forwarded to us before.

In the absence of anything else, Bcrypt is inherently limited in length. (See the caution here: https://www.php.net/manual/en/function.password-hash.php) To be totally unambiguous, 2.2 has introduced an explicit limit in code as well, mostly as it's much clearer to say "XenForo limits any password to 4096 bytes so this report is incorrect", instead of pointing out the algorithm-specific limit.

 

[MattW]

Thanks Mike, the same "researcher" is also pointing out SPF issues so they are clearly after some sort of bonus bounty.

 

[1966Mustang]

Yes, these are going around - received the SPF/DKIM one a couple days ago... I was not aware that AWS rt53 deprecated the 'SPF' type DNS record....

 

[Black Tiger]

I was not aware that AWS rt53 deprecated the 'SPF' type DNS record....

Yep, the SPF type record has been deprecated for about 5 or 6 years if I'm correct. It's still a DNS TXT record.