Description

By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

This vulnerability was detected by sending passwords with various lengths and comparing the measured response times. Consult details for more information.

Remediation

The password hashing implementation must be fixed to limit the maximum length of accepted passwords.

References

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Timing Attack and the importance of controlling the length of the input | The Case of Drupal CVE-2014-9016

Related Vulnerabilities

Joomla! Core Denial of Service (2.5.0 - 3.9.27)

PHP version older than 5.2.1

WordPress 4.8.x Denial of Service Vulnerability (4.8 - 4.8.5)

WordPress 5.3.x Multiple Vulnerabilities (5.3 - 5.3.15)

PHP multipart/form-data denial of service

Severity

High

Classification

CWE-400 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Tags

Denial Of Service