Nextcloud: No password length restriction in reset password endpoint

2023-01-0308:44:39

aditya404

hackerone.com

103

nextcloud

password length restriction

denial of service

bug bounty

0.001 Low

EPSS

Percentile

45.3%

JSON

Hi,

##Summary:
There is no password length restriction in reset password endpoint at https://efss.qloud.my/index.php/login when resetting for new password.

##Steps To Reproduce:

Visit https://nextcloud.com/sign-up/ and Sign up.
Logout and reset your password.

3.Go to your email and click on reset password link.
4.Enter 150 characters or more as a password and confirm the characters.
5.You will successfully logged in.

Impact

Attacker can do denial of service to your server since there is no restriction in the length of password.
Example when he enter like 2500 character, your server will crash for some time
Below Image is the impact of entering 2500 characters.

##Mitigation :

Restrict user to use less than 40 character as a password, while the restriction should be both on back-end and front-end (with javascript ).

##THANK YOU