No length defined ( For Setting Password )



Extensions: UserProfile
7 months ago
19 days ago


(Reporter: Raja Uzair Abdullah, Unassigned)


Bug Flags:
sec-bounty -




7 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

I just setup Password with length of 110600 chars 

Actual results:

This will take more space then ordinary passwords in mozilla Server Side

Expected results:

This could lead to the taking more space in Server Side of Mozilla and Could lead to Danial Of Service while Validating Password chars by chars

Comment 1

7 months ago
Its missing Best Practice Vulnerability  (with Limited Impact).
Moving to security while asking for review.
Group: bugzilla-security
Flags: sec-review?(dveditz)
Flags: sec-bounty?
Passwords are hashed, it doesn't matter how long they are.
The password being huge is not appreciably different than any other field being very big,
so in theory the request would be huge.
Flags: sec-review?(dveditz) → needinfo?(jclaudius)
This is a dupe of something, I'll figure it out in the morning. Or maybe someone else can.
Group: bugzilla-security
This does not appear to be a security related bug to me.  I believe dylan has this nailed down with comment 3.
Flags: needinfo?(jclaudius)

Comment 6

6 months ago
I know,I just found a Missing Best Practice Bug as I Mentioned  in Comment 1
Flags: sec-bounty? → sec-bounty-
passwdqc now enforces some very large maximum.
Last Resolved: a month ago
Resolution: --- → FIXED

Comment 8

a month ago
Any HOF chances? i had reported XSS stored but marked as self and too given HOF
rajauzairabdullah: Not in this case, we don't assess any security impact to the site or it's users as a result of this.  Thanks for asking though.
You need to log in before you can comment on or make changes to this bug.