Bug report - Admin password length - EE Super Hub Plus

gergy008 — Sat, 12 Oct 2024 13:08:15 GMT

Hi,
I'm not sure how to submit a bug report with the router firmware that I found on the EE Super Hub Plus. So, I thought I would throw everything I know about the bug below. This might also make for a good bug reporting template.

Define the problem - What happened, and how can you trigger this again?
Change administrator password text field allows more characters than the text field used to enter and change administrator settings. Change password to a long password, then try to enter it when changing settings. The field is limited so the password cannot be accepted.

What's the consequence?
After changing the user password to a password longer than 20 characters, the user is then locked out and unable to access administrator controls.

How is this resolved by a customer?
Full router reset required to get the default admin password back, then the password can be changed to less or equal to 20 characters.

Is there a workaround?
After changing password to more than 20 characters, a user can use Inspect Element in the browser to manually change the maxlength attribute of the text field to accept more characters. The user can then log in just fine with the longer password.

Is this a potential security risk?
Very low risk

If it is a potential security risk, how?
Maximum password length is artificially and arbitrarily limited, making it easier for an agent to crack, or guess. The entire router interface, and the internal router software itself will accept a much longer password just fine.

What's the fix for the software developer?
Review or remove requirement for max length via maxlength attribute used within password field of the confirm admin password modal.

DO NOT reduce the maxlength attribute value for the change admin password screen, unless other technical reasons for reduction are present (otherwise a low security risk would remain present).
DO NOT truncate the user input (at any point) as this would introduce a new high security risk.

Re: Bug report - Admin password length - EE Super Hub Plus

gergy008 — Sat, 12 Oct 2024 13:11:00 GMT

This was previously raised in the following posts:

https://community.ee.co.uk/t5/Broadband-Landline/Smart-Hub-Plus-password-length/td-p/1398871
https://community.ee.co.uk/t5/Broadband-Landline/New-security-password-not-accepted/td-p/1357838

This bug has existed for at least 8 months, why hasn't this been fixed?

Re: Bug report - Admin password length - EE Super Hub Plus

JimM11 — Sat, 12 Oct 2024 15:16:49 GMT

@gergy008 Are you asking the forum as to why it's not been fixed?

Re: Bug report - Admin password length - EE Super Hub Plus

Peter_W — Tue, 15 Oct 2024 09:49:23 GMT

Good morning @gergy008.

Welcome to the EE Community, and thanks for taking the time to flag this too.

I can certainly make sure we get this fed back, is it the latest EE Smart Hub Plus that you're referring to here?
Peter

topic Re: Bug report - Admin password length - EE Super Hub Plus in Broadband & Landline

Bug report - Admin password length - EE Super Hub Plus

Re: Bug report - Admin password length - EE Super Hub Plus

Re: Bug report - Admin password length - EE Super Hub Plus

Re: Bug report - Admin password length - EE Super Hub Plus