Skip to content
This repository has been archived by the owner on Jun 2, 2023. It is now read-only.

Change password works, but spams 10000+ requests and locks the account #605

Open
sngoz opened this issue Nov 25, 2020 · 23 comments
Open

Change password works, but spams 10000+ requests and locks the account #605

sngoz opened this issue Nov 25, 2020 · 23 comments

Comments

@sngoz
Copy link

sngoz commented Nov 25, 2020

PassCore Server

  • OS: Windows
  • Provider: Active Directory, but also the same when using LDAP
  • Settings file (without sensitive information): at end
  • Log file (without sensitive information):

Describe the bug
Change password works (takes a long time), but the account locks.

In developer tools, it is spamming 10000+ requests as soon as you click on the Change Password button.

image

The first request works, as the password changes.
But then it displays "you need to provide the correct password" multiple times.
Then it displays the account locked.

Note: If you want to report an issue of passcorepro, please use the proper bug report form at https://store.unosquare.com/passcorepro

To Reproduce
Steps to reproduce the behavior:

  1. Enter details then click on Change Password
  2. See error

Expected behavior
Should only make 1 request to change the password not thousands.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser: Chrome
  • Version Version 86.0.4240.198 (Official Build) (64-bit)

appsettings.json

{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
},
"WebSettings": {
"EnableHttpsRedirect": true
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": ["Enterprise Admins"], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": ["Domain Users"], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)

// The following options are for LDAP Provider (remove if you don't use this Provider)
//"LdapSearchBase": "OU=Company,DC=xxxxxxxxx,DC=local",
//"LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
//"LdapStartTls": true, // Default for AD is true when using LDAP 389
//"LdapChangePasswordWithDelAdd": true,
//"LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"

// General options (valid for both providers)
"LdapHostnames": [ "xxxxxxx.xxxxxxx.local" ], // Set your hostname(s)
"LdapPort": 389, // Default for AD is 389, for LDAPS 636
"LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
"LdapPassword": "", // Set the password for the username
"DefaultDomain": "xxxxxx.local" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.

},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "true",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a strong password. You can use this tool to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassword": "The password you are trying to set is not secure enough.",
"ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
"ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
}
}
}

@sngoz sngoz changed the title Change password works, but spamming 10000+ requests and locks the accounts Change password works, but spams 10000+ requests and locks the account Nov 25, 2020
@4arizard
Copy link

4arizard commented Dec 1, 2020

The same with me, the password was successfully changed, but many errors appear and the account is blocked by the domain policy

@eponerine
Copy link

I confirmed that this issue happens with v4.2.0 and v4.2.4.

Using the same appsettings.json file in v4.0.0 and everything works perfectly fine. It's as if the CHANGE PASSWORD button is waiting for a 200 back, but spams the hell out of the password endpoint before it can return. I saw upwards of 8000 requests before all but 1 request errored out.

@sngoz
Copy link
Author

sngoz commented Dec 3, 2020

@eponerine @4arizard v4.0.0 works for me. Thank you @eponerine !!!

@geoperez
Copy link
Member

geoperez commented Dec 7, 2020

@antonioi88 just push a fix, can confirm before pushing a new version?

@vgan
Copy link

vgan commented Dec 9, 2020

@geoperez I deployed the fix to my environment running v4.2.4 and appears to be working.

@eponerine
Copy link

For what its worth, I think the following Issues are related:

#600
#598

@ghost
Copy link

ghost commented Dec 11, 2020

Hello,

I have the same issue. What should I do to resolve this problem. I'm using binary version downloaded from:
https://github.com/unosquare/passcore/releases/download/4.2.4/PassCore424.zip

Thak you in advance for any inforamtion.

@geoperez
Copy link
Member

We didn't release a binary version yet, you need to compile it. I'll try to release it tomorrow.

@ps-ckrelle
Copy link

we are setting this behavior on a windows hosted box, we are testing with version 4.2.4

@ghost
Copy link

ghost commented Dec 15, 2020

I was trying to use 4.0.0 version, but it seems working in the same way. When I press "Change password" nutton it send a lot of request. I don't have any idea what I configured wrong...

On the same server (IIS) version 3.6.4 is working very good

@4arizard
Copy link

Did I understand correctly, is it fixed in the source code? How do I compile a new binary version?

@ezeitoun
Copy link

ezeitoun commented Jan 7, 2021

Any plans to release a new version with the fix to this issue or provide details info how to patch the existing one (via code compile)?
Thanks!

@ndom91
Copy link

ndom91 commented Jan 9, 2021

Still having this issue with 4.2.4. even when manually bumping .net from 3.1 to 5.1 in the deps.json file as mentioned in another issue here

@hkml2000
Copy link

Hi,

I downgrade to release 4.2.3 with appsettings.json from 4.2.4

it works fine

@ndom91
Copy link

ndom91 commented Jan 10, 2021

Downgrading to 4.2.3 did the trick for me as well 👍

FYI - 4.2.3. still lists 4.2.0 as version in the footer. You can do a little find/replace on the wwwroot/App.xyz.js file.

@julitalvensaari
Copy link

Same here - Downgrading to 4.2.3 from 4.2.4 solved the issue for me.

@mihaimacarie98
Copy link

I have the latest version and I have a similar issue

@ndom91
Copy link

ndom91 commented Apr 23, 2021

@yo2mno downgrading to 4.2.3 will fix it for the time being..

@stale
Copy link

stale bot commented Jul 1, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix Problem, or not; this won't be fixed here at least. label Jul 1, 2021
@simonai1254
Copy link

A downgrade to 4.2.3 was the only solution for me as well as I found no option to disable the web checks. I am running Passcore in an closed environment without internet access, and there the check by design can only fail...

@NoSubstitute
Copy link

I downgraded to 3.6.4 and it works, but is of course missing some nice features.

@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix Problem, or not; this won't be fixed here at least. label Apr 16, 2022
@simonai1254
Copy link

Keepalive

@stale stale bot removed the wontfix Problem, or not; this won't be fixed here at least. label Apr 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests