search

nesfit / fitcrack

A hashcat-based distributed password cracking system
https://fitcrack.fit.vutbr.cz/
Other
145 stars 30 forks source link

Uploading mask file with invalid masks is not rejected #74

Closed alpatron closed 1 year ago

alpatron commented 1 year ago

Hi, when I try to upload a mask file which contains invalid masks (for example ?:?*?=?)), then Webadmin does not reject this and accepts this file.

The Add Job UI properly rejects this.

obrazek

Seems the regex here does not properly validate masks.

https://github.com/nesfit/fitcrack/blob/5a2f48e47ac31748e85e6fa4235b6ffd304edcb2/webadmin/fitcrackAPI/src/src/api/fitcrack/attacks/functions.py#L19-L21

System details

Fitcrack dev build (f2a0232dd77ef7b4a0ff1fceb736b3d8f169a057) on Ubuntu 22.04.2

How to reproduce

  1. In Webadmin, go to Library -> Masks
  2. Upload a file with an invalid mask like fc_auto_test_mask_invalid_mask.txt
  3. The file will be accepted despite containing invalid masks