First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Everyone can set new password

0x013ev

Summary

Everyone can set a new password using the setPassword() function.

Vulnerability Details

The function setPassword() has one parameter - the 'newPassword' parameter and it's used to update the stored password.
As seen in the business rules, only the owner should be able to set a new password, but a check for that is never seen in the code.

Impact

Everyone can set a new password

Tools Used

Manual review

Recommendations

Add a check, similar to the one in the getPassword() function. And since the logic for checking if the owner is calling the function, or not, is the same, it can be extracted in a custom modifier:

function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
function getPassword() external view returns (string memory) onlyOwner {
return s_password;
}
modifier onlyOwner(){
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.