Local DoS with certain passwords makes messages irretrievable/unsendable (Trac #1382)

[str4d]

Summary: After changing the password to a certain password, (with white spaces or trailing white space?) any attempt to access Bote messages or Bote itself will result in local DoS (500 page)

CRITICAL: after first DoS, messages are completely inaccessible (afaik) regardless of restarting plugin/router.

PoC:

1. Original password (without quotes): "password"
2. Changed to (without quotes): "A A A A "
3. Password accepted without error
4. Clear password cache/clear browser cache, and enter 'old' password (without quotes): "password" --> "Wrong password. Try again."
5. Clear password cache/clear browser cache, and enter 'new' password (without quotes): "A A A A " --> presented with a 500 and Bote is inaccessible until plugin is restarted. Any attempts to change the password are accepted and cached BUT, when clearing the cache and entering any 'new' password, Bote is DoS'd until restarted.

Notes:

1. In some instances, any attempt to access Bote will result in DoS (500 page).
2. At the moment there is 1 'incomplete' message in the inbox. It has been there since before bug discovery, and is still there (as seen in the router log))

Migrated from https://trac.i2p2.de/ticket/1382

{
    "status": "assigned", 
    "changetime": "2017-01-15T13:57:30", 
    "description": "Summary:\nAfter changing the password to a certain password, (with white spaces or trailing white space?) any attempt to access Bote messages or Bote itself will result in local DoS (500 page)\n\nCRITICAL: after first DoS, messages are completely inaccessible (afaik) regardless of restarting plugin/router.\n\nPoC:\n1) Original password (without quotes): \"password\"\n2) Changed to (without quotes): \"A A A A \"\n3) Password accepted without error\n4) Clear password cache/clear browser cache, and enter 'old' password (without quotes): \"password\" --> \"Wrong password. Try again.\"\n5) Clear password cache/clear browser cache, and enter 'new' password (without quotes): \"A A A A \" --> presented with a 500 and Bote is inaccessible until plugin is restarted. Any attempts to change the password are accepted and cached *BUT*, when clearing the cache and entering any 'new' password, Bote is DoS'd until restarted.\n\nNotes:\n1) In some instances, any attempt to access Bote will result in DoS (500 page).\n2) At the moment there is 1 'incomplete' message in the inbox. It has been there since before bug discovery, and is still there (as seen in the router log))", 
    "reporter": "ihave2p", 
    "cc": "", 
    "resolution": "", 
    "_ts": "1484488650801096", 
    "component": "apps/plugins", 
    "summary": "I2P-Bote: local DoS with certain passwords makes messages irretrievable/unsendable", 
    "priority": "critical", 
    "keywords": "I2P-Bote reliability heisenbug", 
    "version": "0.9.14.1", 
    "parents": "", 
    "time": "2014-09-21T11:33:18", 
    "milestone": "", 
    "owner": "str4d", 
    "type": "defect"
}

[str4d]

Trac update at 20140921T11:35:52: ihave2p changed attachment from "" to "log-router-0.txt"

[str4d]

Trac update at 20140921T11:36:54:

• ihave2p changed attachment from "" to "bote.500.log"
• ihave2p commented:

just in case

[str4d]

Trac update at 20140921T14:05:18: ihave2p changed milestone from "0.9.15" to ""

[str4d]

Trac update at 20140921T19:54:54: ihave2p changed attachment from "" to "log-router-1.txt"

[str4d]

Trac update at 20140921T20:03:10:

• ihave2p commented:

Update: deleting ./i2pbote/password will provide i2pbote webui access but any messages in 'inbox' 'outbox' (and imagine sent) will then be permanently(?) inaccessible (see log-router-1.txt).

NOTE: I --> cannot <-- reproduce the same bug on a clean install (rm -fr ./i2pbote ; $install_plugin) of i2pbote on 0.9.15.

Leaving as new because 'rm -fr' isn't a very kind fix...

• ihave2p changed summary from "Bote local DoS with certain passwords" to "Bote: local DoS with certain passwords makes messages irretrievable/unsendable"

[str4d]

Trac update at 20140928T15:17:10:

• zzz changed owner from "" to "HungryHobo"
• zzz changed status from "new" to "assigned"

[str4d]

Trac update at 20141031T13:08:34: ihave2p commented:

Add a subticket #32.

[str4d]

Trac update at 20150109T23:40:02: str4d changed keywords from "Bote password DoS" to "I2P-Bote"

[str4d]

Trac update at 20150129T10:56:40:

• str4d commented:

I cannot recreate this bug using latest trunk.

What version of I2P-Bote were you using? Not that it matters, because you were unable to recreate it either.

The 500 error "Can't decrypt using cached password" indicates that the password was accepted as valid, but was somehow not the password used to encrypt the files. But the password file is updated last, after the identities, address book and folders, and errors are not skipped. So... I have no ideas.

• str4d changed keywords from "I2P-Bote" to "I2P-Bote reliability heisenbug"

[str4d]

Trac update at 20150129T11:40:56: ihave2p commented:

Hi str4d,

The version of I2P-Bote was the latest version at the time of this ticket creation.

To clarify, at the time, I could reproduce on I2P 0.9.14 but not on 0.9.15.

Could Jetty or the browser I was using at the time somehow have created a race condition?

[str4d]

Trac update at 20150129T11:41:34: ihave2p changed summary from "Bote: local DoS with certain passwords makes messages irretrievable/unsendable" to "I2P-Bote: local DoS with certain passwords makes messages irretrievable/unsendable"

[str4d]

Trac update at 20150607T11:36:22: killyourtv commented:

I'd be very surprised if this isn't related to the XSSfiltering that was added to 0.9.14, fixed up some in 0.9.14.1 and 0.9.15 (kinda like https://trac.i2p2.de/ticket/1339).

[str4d]

Trac update at 20170115T13:57:30: zzz changed owner from "HungryHobo" to "str4d"