Password Can be set to very weak in ikus060/minarca

Valid

Reported on

Sep 13th 2022


Description

For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 (Or any character). There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak password.

Proof of Concept

Access to the demo website and login as an admin. Edit user with New password 1 or any character (short, weak) Try to login with the new user and it succeed.

With normal user, login and try to change password function, it also succeed.

Impact

Attacker will able to get all user's accounts with weak password using bruiteforce attack.

We are processing your report and will contact the ikus060/minarca team within 24 hours. 10 days ago
Patrik Dufresne validated this vulnerability 10 days ago

This vulnerability is valid. Was reported on Rdiffweb project.

Minarca will get fixed, whenever I upgrade Rdiffweb version embedded in Minarca.

Vanilla has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Vanilla
10 days ago

Researcher


Hi @patrik, Thank you for the update.

We have sent a fix follow up to the ikus060/minarca team. We will try again in 7 days. 7 days ago
Vanilla
2 days ago

Researcher


Hi @admin, can we proceed for the CVE ?

Jamie Slome
2 days ago

Admin


Happy to once we get the go-ahead from the maintainer 👍

Patrik Dufresne confirmed that a fix has been merged on 7b5c7e 2 days ago
Patrik Dufresne has been awarded the fix bounty
Patrik Dufresne
2 days ago

Maintainer


@admin You may assign a CVE to this report

Jamie Slome
a day ago

Admin


Sorted :)

to join this conversation