Opened 6 years ago
Last modified 4 years ago
#1404 assigned defect
I2P-Bote: local DoS with certain passwords, #2
Reported by: | ihave2p | Owned by: | str4d |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | apps/plugins | Version: | 0.9.15 |
Keywords: | I2P-Bote | Cc: | |
Parent Tickets: | #1382 | Sensitive: | no |
Description
This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was *not* on my dev machine >:-|
Summary:
After attempting to change a working password to a blank password (nothing entered in the "New password" and "Confirm:" fields) and subsequently clearing the password cache of the *working* password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash ("Sent" or "Trash") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote "Sent" and "Trash" messages appear to be completely inaccessible.
To reproduce:
1) Go directly to settings and try to change to blank password
2) Clear password cache (key icon on top right)
3) Click on "Sent" or "Trash" and authenticate with old *working* password
4) Also click on "Inbox" and "Outbox" for comparison
Notes:
"Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return "Wrong password. Try again."
Restarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.
Subtickets
Attachments (1)
Change History (6)
Changed 6 years ago by
Attachment: | ticket-2014.10.31.log added |
---|
comment:1 Changed 6 years ago by
Keywords: | I2P-Bote added; Bote password DoS removed |
---|
comment:2 Changed 6 years ago by
Summary: | Bote: local DoS with certain passwords, #2 → I2P-Bote: local DoS with certain passwords, #2 |
---|
comment:3 Changed 6 years ago by
comment:4 Changed 4 years ago by
Owner: | set to str4d |
---|---|
Status: | new → assigned |
comment:5 Changed 4 years ago by
Migrated to https://github.com/i2p/i2p.i2p-bote/issues - I will close these tickets as things are resolved rather than right now, but please make future comments on GitHub?.
Could this also be XSSfilter related? I don't know which characters are whitelisted but I suspect
or an empty string is not one of them.
(Just thinking aloud)