Opened 5 years ago

Last modified 2 years ago

#1404 assigned defect

I2P-Bote: local DoS with certain passwords, #2

Reported by: ihave2p Owned by: str4d
Priority: critical Milestone:
Component: apps/plugins Version: 0.9.15
Keywords: I2P-Bote Cc:
Parent Tickets: #1382 Sensitive: no

Description

This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was *not* on my dev machine >:-|

Summary:
After attempting to change a working password to a blank password (nothing entered in the "New password" and "Confirm:" fields) and subsequently clearing the password cache of the *working* password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash ("Sent" or "Trash") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote "Sent" and "Trash" messages appear to be completely inaccessible.

To reproduce:
1) Go directly to settings and try to change to blank password
2) Clear password cache (key icon on top right)
3) Click on "Sent" or "Trash" and authenticate with old *working* password
4) Also click on "Inbox" and "Outbox" for comparison

Notes:
"Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return "Wrong password. Try again."

Restarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.

Subtickets

Attachments (1)

ticket-2014.10.31.log (8.6 KB) - added by ihave2p 5 years ago.

Download all attachments as: .zip

Change History (6)

Changed 5 years ago by ihave2p

Attachment: ticket-2014.10.31.log added

comment:1 Changed 5 years ago by str4d

Keywords: I2P-Bote added; Bote password DoS removed

comment:2 Changed 5 years ago by ihave2p

Summary: Bote: local DoS with certain passwords, #2I2P-Bote: local DoS with certain passwords, #2

comment:3 Changed 4 years ago by killyourtv

Could this also be XSSfilter related? I don't know which characters are whitelisted but I suspect or an empty string is not one of them.

(Just thinking aloud)

comment:4 Changed 3 years ago by zzz

Owner: set to str4d
Status: newassigned

comment:5 Changed 2 years ago by str4d

Migrated to https://github.com/i2p/i2p.i2p-bote/issues - I will close these tickets as things are resolved rather than right now, but please make future comments on GitHub?.

Note: See TracTickets for help on using tickets.