i2p.i2p-bote
i2p.i2p-bote copied to clipboard
Local DoS with certain passwords, #2 (Trac #1404)
This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was not on my dev machine >:-|
Summary: After attempting to change a working password to a blank password (nothing entered in the "New password" and "Confirm:" fields) and subsequently clearing the password cache of the working password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash ("Sent" or "Trash") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote "Sent" and "Trash" messages appear to be completely inaccessible.
To reproduce:
- Go directly to settings and try to change to blank password
- Clear password cache (key icon on top right)
- Click on "Sent" or "Trash" and authenticate with old working password
- Also click on "Inbox" and "Outbox" for comparison
Notes: "Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return "Wrong password. Try again."
Restarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.
Migrated from https://trac.i2p2.de/ticket/1404
{
"status": "assigned",
"changetime": "2017-01-15T13:57:05",
"description": "This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was *not* on my dev machine >:-|\n\nSummary:\nAfter attempting to change a working password to a blank password (nothing entered in the \"New password\" and \"Confirm:\" fields) and subsequently clearing the password cache of the *working* password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash (\"Sent\" or \"Trash\") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote \"Sent\" and \"Trash\" messages appear to be completely inaccessible.\n\nTo reproduce:\n1) Go directly to settings and try to change to blank password\n2) Clear password cache (key icon on top right)\n3) Click on \"Sent\" or \"Trash\" and authenticate with old *working* password\n4) Also click on \"Inbox\" and \"Outbox\" for comparison\n\nNotes:\n\"Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]\" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return \"Wrong password. Try again.\"\n \nRestarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.",
"reporter": "ihave2p",
"cc": "",
"resolution": "",
"_ts": "1484488625549282",
"component": "apps/plugins",
"summary": "I2P-Bote: local DoS with certain passwords, #2",
"priority": "critical",
"keywords": "I2P-Bote",
"version": "0.9.15",
"parents": "1382",
"time": "2014-10-31T13:08:34",
"milestone": "",
"owner": "str4d",
"type": "defect"
}
Trac update at 20141031T13:09:38: ihave2p changed attachment from "" to "ticket-2014.10.31.log"
Trac update at 20150109T23:40:25: str4d changed keywords from "Bote password DoS" to "I2P-Bote"
Trac update at 20150129T11:42:13: ihave2p changed summary from "Bote: local DoS with certain passwords, #2" to "I2P-Bote: local DoS with certain passwords, #2"
Trac update at 20150607T11:39:53: killyourtv commented:
Could this also be XSSfilter related? I don't know which characters are whitelisted but I suspect
or an empty string is not one of them.
(Just thinking aloud)
Trac update at 20170115T13:57:05:
- zzz changed owner from "" to "str4d"
- zzz changed status from "new" to "assigned"