Closed Bug 1623009 Opened 4 years ago Closed 4 years ago

Long password denial of service in bugzilla.mozilla.org

Categories

(bugzilla.mozilla.org :: General, task)

Product:
bugzilla.mozilla.org
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bh.bounty, Assigned: dkl)

References

(
URL
)

Details

(Keywords: sec-low, wsec-dos, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

bugzilla_password_param.jpg
61.06 KB, image/jpeg
Details
1623009_1.patch
1.11 KB, patch
glob
: review+
Details | Diff | Splinter Review

Description: Long password denial of service

By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion. Vulnerable password input: Bugzilla_password
Tests performed:
password of 1000000 characters => 30 s
password of 100 characters => 0.682 s
password of 100000 characters => 2.685 s
password of 1100000 characters => 29.999 s
password of 500 characters => 0.65 s

Steps to reproduce:
Intercept login request e.g. with Burp. Send intercepted request to repeater and increase number of characters in Bugzilla_password param, or send intercepted request to intruder, set payload Character block, setup numbers of chars min & max and monitor responses.

Flags: sec-bounty?
Group: websites-security → bugzilla-security
Component: Other → General
Product: Websites → bugzilla.mozilla.org
Flags: needinfo?(dkl)

for this we could impose a maximum password size. I would say around 4096 characters would be a good max. That is above what other sites set as a limit.

simon, any issues with doing this?

Flags: needinfo?(dkl) → needinfo?(sbennetts)

No, that sounds a reasonable limit.

Flags: needinfo?(sbennetts)
Attached patch 1623009_1.patchSplinter Review
Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9142792 - Flags: review?(glob)
Comment on attachment 9142792 [details] [diff] [review]
1623009_1.patch

Review of attachment 9142792 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #9142792 - Flags: review?(glob) → review+

Merged to master. Releasing today. Opening bug.

Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Hi,
hope you are all fine ...

After all, bounty && hof ?

Best regards

The sec-bounty? flag means that this bug will be reviewed by the Bug Bounty Committee when it next meets, which is usually weekly.

Thank you Simon.

Hope see you soon on next bug :)
Best regards.

This appears to slow down your own query, but it's not a Denial of Service attack on the server or other users. Does not qualify for a bounty or the Hall of Fame.

Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: