Phabricator: Bypass auth.email-domains

2014-02-23T16:08:39
ID H1:2224
Type hackerone
Reporter tomvg
Modified 2014-03-25T18:23:30

Description

Email addresses are stored as VARCHAR(128). However, Phabricator does not verify the length of an email address upon registration. This allows attackers to bypass the allowed email-domains defined in auth.email-domains.

Exploiting this is rather straightforward: get an email address of 128 characters long (This StackOverflow answer indicates that the maximum length of an email address is 254 characters). Now register with your 128 character email address with @allowed-domain.com appended to it. The @allowed-domain.com part will be truncated because MySQL can’t store it, and you will receive a verification email on your 128 character email address.

This is especially easy if you’re using a Gmail address: if you own attacker@gmail.com, you’ll also receive any mails sent to attacker+aaaaaaaaaaa…aaa@gmail.com.