- Affected version
- 2.3.10
Hi,
Today I noticed a strange behavior with long passwords on my XenForo forum.
I created a very long password:
Logging in with the exact password works normally. However, if I append extra characters to the end of the password, I can still log in successfully. For example, all of these passwords are accepted:
It seems XenForo only validates the password up to a certain length and ignores everything after that point.
Is this expected behavior, a known limitation, or potentially a bug? Also, what is the actual maximum effective password length in XenForo?
Today I noticed a strange behavior with long passwords on my XenForo forum.
I created a very long password:
Code:
https://5d8efaa502c219c3.demo-xenforo.com/2310/index.php
name admin and password 2222nhxb?;Fwgffx*nLLc;ESAH<,r|i3g2]7:DC?)9Rugd_Y;4Q@j`>tp,CDwtt6twSazmd(UQ^:z|I(tiU,2222Logging in with the exact password works normally. However, if I append extra characters to the end of the password, I can still log in successfully. For example, all of these passwords are accepted:
Code:
2222nhxb?;Fwgffx*nLLc;ESAH<,r|i3g2]7:DC?)9Rugd_Y;4Q@j`>tp,CDwtt6twSazmd(UQ^:z|I(tiU,2222
2222nhxb?;Fwgffx*nLLc;ESAH<,r|i3g2]7:DC?)9Rugd_Y;4Q@j`>tp,CDwtt6twSazmd(UQ^:z|I(tiU,22221111
2222nhxb?;Fwgffx*nLLc;ESAH<,r|i3g2]7:DC?)9Rugd_Y;4Q@j`>tp,CDwtt6twSazmd(UQ^:z|I(tiU,22223333
2222nhxb?;Fwgffx*nLLc;ESAH<,r|i3g2]7:DC?)9Rugd_Y;4Q@j`>tp,CDwtt6twSazmd(UQ^:z|I(tiU,2222REWREWRERWRWEIt seems XenForo only validates the password up to a certain length and ignores everything after that point.
Is this expected behavior, a known limitation, or potentially a bug? Also, what is the actual maximum effective password length in XenForo?
