Opened 4 years ago

Last modified 22 months ago

#1382 assigned defect

I2P-Bote: local DoS with certain passwords makes messages irretrievable/unsendable

Reported by: ihave2p Owned by: str4d
Priority: critical Milestone:
Component: apps/plugins Version: 0.9.14.1
Keywords: I2P-Bote reliability heisenbug Cc:
Parent Tickets:

Description

Summary:
After changing the password to a certain password, (with white spaces or trailing white space?) any attempt to access Bote messages or Bote itself will result in local DoS (500 page)

CRITICAL: after first DoS, messages are completely inaccessible (afaik) regardless of restarting plugin/router.

PoC:
1) Original password (without quotes): "password"
2) Changed to (without quotes): "A A A A "
3) Password accepted without error
4) Clear password cache/clear browser cache, and enter 'old' password (without quotes): "password" --> "Wrong password. Try again."
5) Clear password cache/clear browser cache, and enter 'new' password (without quotes): "A A A A " --> presented with a 500 and Bote is inaccessible until plugin is restarted. Any attempts to change the password are accepted and cached *BUT*, when clearing the cache and entering any 'new' password, Bote is DoS'd until restarted.

Notes:
1) In some instances, any attempt to access Bote will result in DoS (500 page).
2) At the moment there is 1 'incomplete' message in the inbox. It has been there since before bug discovery, and is still there (as seen in the router log))

Subtickets (add)

#1404: I2P-Bote: local DoS with certain passwords, #2defectassignedstr4d

Attachments (3)

log-router-0.txt (22.3 KB) - added by ihave2p 4 years ago.
bote.500.log (11.3 KB) - added by ihave2p 4 years ago.
just in case
log-router-1.txt (41.6 KB) - added by ihave2p 4 years ago.

Download all attachments as: .zip

Change History (14)

Changed 4 years ago by ihave2p

Changed 4 years ago by ihave2p

just in case

comment:1 Changed 4 years ago by ihave2p

  • Milestone 0.9.15 deleted

Changed 4 years ago by ihave2p

comment:2 Changed 4 years ago by ihave2p

  • Summary changed from Bote local DoS with certain passwords to Bote: local DoS with certain passwords makes messages irretrievable/unsendable

Update: deleting ./i2pbote/password will provide i2pbote webui access but any messages in 'inbox' 'outbox' (and imagine sent) will then be permanently(?) inaccessible (see log-router-1.txt).

NOTE: I --> cannot <-- reproduce the same bug on a clean install (rm -fr ./i2pbote ; $install_plugin) of i2pbote on 0.9.15.

Leaving as new because 'rm -fr' isn't a very kind fix...

comment:3 Changed 4 years ago by zzz

  • Owner set to HungryHobo
  • Status changed from new to assigned

comment:4 Changed 4 years ago by ihave2p

Add a subticket #1404.

comment:5 Changed 4 years ago by str4d

  • Keywords I2P-Bote added; Bote password DoS removed

comment:6 Changed 4 years ago by str4d

  • Keywords reliability heisenbug added

I cannot recreate this bug using latest trunk.

What version of I2P-Bote were you using? Not that it matters, because you were unable to recreate it either.

The 500 error "Can't decrypt using cached password" indicates that the password was accepted as valid, but was somehow not the password used to encrypt the files. But the password file is updated last, after the identities, address book and folders, and errors are not skipped. So... I have no ideas.

comment:7 Changed 4 years ago by ihave2p

Hi str4d,

The version of I2P-Bote was the latest version at the time of this ticket creation.

To clarify, at the time, I could reproduce on I2P 0.9.14 but not on 0.9.15.

Could Jetty or the browser I was using at the time somehow have created a race condition?

comment:8 Changed 4 years ago by ihave2p

  • Summary changed from Bote: local DoS with certain passwords makes messages irretrievable/unsendable to I2P-Bote: local DoS with certain passwords makes messages irretrievable/unsendable

comment:9 Changed 4 years ago by killyourtv

I'd be very surprised if this isn't related to the XSSfiltering that was added to 0.9.14, fixed up some in 0.9.14.1 and 0.9.15 (kinda like #1339).

comment:10 Changed 2 years ago by zzz

  • Owner changed from HungryHobo to str4d

comment:11 Changed 22 months ago by str4d

Migrated to https://github.com/i2p/i2p.i2p-bote/issues - I will close these tickets as things are resolved rather than right now, but please make future comments on GitHub?.

Note: See TracTickets for help on using tickets.