ravisorg/Mellt

Possible security flaw

Closed this issue · 1 comments

simonrenoult commented

Hi,

I might be mistaking but while I was checking the Node.js implementation of the CheckPassword method, I noticed the following code :

exports.CheckPassword = function(password) {
    //make sure it is lower case, this function can be called by itself
    password = password.toLowerCase();
    var common = CheckCommon(password)
    return common === true ? -1 : BruteForce(password);
}

The method lower-case the password to check it against the dictionary which makes sense. However, we try to brute force the lower-cased password and not the original one. Shouldn't we do this instead ?

exports.CheckPassword = function(password) {
    //make sure it is lower case, this function can be called by itself
    var common = CheckCommon(password.toLowerCase());
    return common === true ? -1 : BruteForce(password);
}

Same goes for the BruteForce method. Why is Mellt testing a lower-cased version of the password ?

SeanJA commented

This is the same issue as #10