Local DoS with certain passwords, #2 (Trac #1404)

[str4d]

This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was not on my dev machine >:-|

Summary: After attempting to change a working password to a blank password (nothing entered in the "New password" and "Confirm:" fields) and subsequently clearing the password cache of the working password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash ("Sent" or "Trash") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote "Sent" and "Trash" messages appear to be completely inaccessible.

To reproduce: 1) Go directly to settings and try to change to blank password 2) Clear password cache (key icon on top right) 3) Click on "Sent" or "Trash" and authenticate with old working password 4) Also click on "Inbox" and "Outbox" for comparison

Notes: "Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return "Wrong password. Try again."

Restarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.

Migrated from https://trac.i2p2.de/ticket/1404

{
    "status": "assigned", 
    "changetime": "2017-01-15T13:57:05", 
    "description": "This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was *not* on my dev machine >:-|\n\nSummary:\nAfter attempting to change a working password to a blank password (nothing entered in the \"New password\" and \"Confirm:\" fields) and subsequently clearing the password cache of the *working* password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash (\"Sent\" or \"Trash\") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote \"Sent\" and \"Trash\" messages appear to be completely inaccessible.\n\nTo reproduce:\n1) Go directly to settings and try to change to blank password\n2) Clear password cache (key icon on top right)\n3) Click on \"Sent\" or \"Trash\" and authenticate with old *working* password\n4) Also click on \"Inbox\" and \"Outbox\" for comparison\n\nNotes:\n\"Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]\" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return \"Wrong password. Try again.\"\n \nRestarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.", 
    "reporter": "ihave2p", 
    "cc": "", 
    "resolution": "", 
    "_ts": "1484488625549282", 
    "component": "apps/plugins", 
    "summary": "I2P-Bote: local DoS with certain passwords, #2", 
    "priority": "critical", 
    "keywords": "I2P-Bote", 
    "version": "0.9.15", 
    "parents": "1382", 
    "time": "2014-10-31T13:08:34", 
    "milestone": "", 
    "owner": "str4d", 
    "type": "defect"
}

[str4d]

Trac update at 20141031T13:09:38: ihave2p changed attachment from "" to "ticket-2014.10.31.log"

[str4d]

Trac update at 20150109T23:40:25: str4d changed keywords from "Bote password DoS" to "I2P-Bote"

[str4d]

Trac update at 20150129T11:42:13: ihave2p changed summary from "Bote: local DoS with certain passwords, #2" to "I2P-Bote: local DoS with certain passwords, #2"

[str4d]

Trac update at 20150607T11:39:53: killyourtv commented:

Could this also be XSSfilter related? I don't know which characters are whitelisted but I suspect or an empty string is not one of them.

(Just thinking aloud)

[str4d]

Trac update at 20170115T13:57:05:

• zzz changed owner from "" to "str4d"
• zzz changed status from "new" to "assigned"