Phabricator: Bypass

ID H1:2224
Type hackerone
Reporter tomvg
Modified 2014-03-25T18:23:30


Email addresses are stored as VARCHAR(128). However, Phabricator does not verify the length of an email address upon registration. This allows attackers to bypass the allowed email-domains defined in

Exploiting this is rather straightforward: get an email address of 128 characters long (This StackOverflow answer indicates that the maximum length of an email address is 254 characters). Now register with your 128 character email address with appended to it. The part will be truncated because MySQL can’t store it, and you will receive a verification email on your 128 character email address.

This is especially easy if you’re using a Gmail address: if you own, you’ll also receive any mails sent to attacker+aaaaaaaaaaa…