Bypassing application logic to set a blank password in ikus060/rdiffweb


Reported on

Sep 26th 2022


As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password

Proof of Concept

1) Go to
2) Change the password . Old password - admin123 and set the new password as 10 blank spaces(tapping the space bar 10 times)
3) You can see that the application accepts blank spaces in a password and do not scrape them out 

# Impact

This way user will be able to set a blank password bypassing the application logic for password complexities


We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne
a year ago


I might consider adding a password entropy requirement. But python library are not readily available in Debian to calculate that.

Something like this :

Patrik Dufresne
a year ago


Maybe zxcvbn ?

Patrik Dufresne assigned a CVE to this report a year ago
Patrik Dufresne validated this vulnerability a year ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nehal Pillai
a year ago


Hello sir , Thank you for the quick response. Here is an example

Nehal Pillai
a year ago


Oh yes!
Works :). It's indeed a pretty good idea .

Patrik Dufresne marked this as fixed in 2.4.9 with commit ee98e5 a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
prefs_general.html#L1-L30 has been validated
to join this conversation