No Password Length Restriction leads to Denial of Service

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
1 year ago
We've received an email from an `ethical` hacker, his other points regarding vulnerabilities in our setup were correct so I assume the one below is too.
I am able to create a password with 1000000 words which fully leads to MySQL or server side Denial Of Service attack. Also this issue can dump your database.

You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for Denial Of Service attack.

Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. in my sql but in your website there are no limitation.

I've been unable to reproduce this one, does anyone believe this could be an issue with nopcommerce?
0
1 year ago
I think the concern is correct.
nopCommerce should include max length restriction in password!
Skype:  rmahbub63
Direct link: https://join.skype.com/invite/w606ryMAbRTe
LinkedIn: https://www.linkedin.com/in/mahbub-mmr/
0
1 year ago
Any input from other active contributors?
Happy to create an issue and create a PR for an optional max password length if we have a consensus that nopCommerce needs this.
0
1 year ago
It's not about passwords. The same can be said about any input in nopCommerce - first name, last name, contact us message, product reviews, etc

But I'm not sure how exactly we can use it to reproduce Denial of Service. Anyway we'll investigate it further. Here is a work item
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
1 year ago
a.m. wrote:
It's not about passwords. The same can be said about any input in nopCommerce ...

I would disagree.  The original post mentions that the issue is due to "hashing a large amount of data can cause significant resource consumption".  
I.e. it's the expense of hashing/encrypting that can cause performance to be affected / DOS,
www.noptools.com
1
1 year ago
New York wrote:
I would disagree.  The original post mentions that the issue is due to "hashing a large amount of data can cause significant resource consumption".

You're right. I've just created a new work item

I've meant the following scenario with this work item:
1. A "hacker" registers a new account with very-very long first name and last name (for example)
2. Each time a web request is made to the server they are loaded from a database. Hence extra load to a server
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
1 year ago
Hi. We've added a password length limit, see this commit for details.
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Sergey Koshelev
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.