No length defined ( For Setting Password )

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
Extensions: UserProfile
RESOLVED FIXED
7 months ago
19 days ago

People

(Reporter: Raja Uzair Abdullah, Unassigned)

Tracking

Development/Staging
Bug Flags:
sec-bounty -

Details

(Reporter)

Description

7 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

I just setup Password with length of 110600 chars 


Actual results:

This will take more space then ordinary passwords in mozilla Server Side


Expected results:

This could lead to the taking more space in Server Side of Mozilla and Could lead to Danial Of Service while Validating Password chars by chars
(Reporter)

Comment 1

7 months ago
Its missing Best Practice Vulnerability  (with Limited Impact).
Moving to security while asking for review.
Group: bugzilla-security
Flags: sec-review?(dveditz)
Flags: sec-bounty?
Passwords are hashed, it doesn't matter how long they are.
The password being huge is not appreciably different than any other field being very big,
so in theory the request would be huge.
Flags: sec-review?(dveditz) → needinfo?(jclaudius)
This is a dupe of something, I'll figure it out in the morning. Or maybe someone else can.
Group: bugzilla-security
This does not appear to be a security related bug to me.  I believe dylan has this nailed down with comment 3.
Flags: needinfo?(jclaudius)
(Reporter)

Comment 6

6 months ago
I know,I just found a Missing Best Practice Bug as I Mentioned  in Comment 1
Flags: sec-bounty? → sec-bounty-
passwdqc now enforces some very large maximum.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a month ago
Resolution: --- → FIXED

Comment 8

a month ago
Any HOF chances? i had reported XSS stored but marked as self and too given HOF
rajauzairabdullah: Not in this case, we don't assess any security impact to the site or it's users as a result of this.  Thanks for asking though.
You need to log in before you can comment on or make changes to this bug.