Hi,
I'm not sure how to submit a bug report with the router firmware that I found on the EE Super Hub Plus. So, I thought I would throw everything I know about the bug below. This might also make for a good bug reporting template.
Define the problem - What happened, and how can you trigger this again?
Change administrator password text field allows more characters than the text field used to enter and change administrator settings. Change password to a long password, then try to enter it when changing settings. The field is limited so the password cannot be accepted.
What's the consequence?
After changing the user password to a password longer than 20 characters, the user is then locked out and unable to access administrator controls.
How is this resolved by a customer?
Full router reset required to get the default admin password back, then the password can be changed to less or equal to 20 characters.
Is there a workaround?
After changing password to more than 20 characters, a user can use Inspect Element in the browser to manually change the maxlength attribute of the text field to accept more characters. The user can then log in just fine with the longer password.
Is this a potential security risk?
Very low risk
If it is a potential security risk, how?
Maximum password length is artificially and arbitrarily limited, making it easier for an agent to crack, or guess. The entire router interface, and the internal router software itself will accept a much longer password just fine.
What's the fix for the software developer?
Review or remove requirement for max length via maxlength attribute used within password field of the confirm admin password modal.
DO NOT reduce the maxlength attribute value for the change admin password screen, unless other technical reasons for reduction are present (otherwise a low security risk would remain present).
DO NOT truncate the user input (at any point) as this would introduce a new high security risk.
