Bypassing application logic to set a blank password in ikus060/rdiffweb

Valid

Reported on

Sep 26th 2022

Description

As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password

Proof of Concept

1) Go to https://rdiffweb-demo.ikus-soft.com/prefs/general
2) Change the password . Old password - admin123 and set the new password as 10 blank spaces(tapping the space bar 10 times)
3) You can see that the application accepts blank spaces in a password and do not scrape them out 






# Impact

This way user will be able to set a blank password bypassing the application logic for password complexities

Occurrences

prefs_general.html L1-L30

References

Hackerone

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Patrik Dufresne

commented a year ago

Maintainer

I might consider adding a password entropy requirement. But python library are not readily available in Debian to calculate that.

Something like this :https://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/

Patrik Dufresne

commented a year ago

Maintainer

Maybe zxcvbn ?

Patrik Dufresne assigned a CVE to this report a year ago

Patrik Dufresne validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nehal Pillai

commented a year ago

Researcher

Hello sir , Thank you for the quick response. Here is an example https://github.com/WeblateOrg/weblate/commit/708712e8fb5d990956f695023f0213acd99676ef

Nehal Pillai

commented a year ago

Researcher

Oh yes! https://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/
Works :). It's indeed a pretty good idea .

Patrik Dufresne marked this as fixed in 2.4.9 with commit ee98e5 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

prefs_general.html#L1-L30 has been validated

to join this conversation

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Patrik Dufresne

commented a year ago

Maintainer

I might consider adding a password entropy requirement. But python library are not readily available in Debian to calculate that.

Something like this :https://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/

Patrik Dufresne

commented a year ago

Maintainer

Maybe zxcvbn ?

Patrik Dufresne assigned a CVE to this report a year ago

Patrik Dufresne validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nehal Pillai

commented a year ago

Researcher

Hello sir , Thank you for the quick response. Here is an example https://github.com/WeblateOrg/weblate/commit/708712e8fb5d990956f695023f0213acd99676ef

Nehal Pillai

commented a year ago

Researcher

Oh yes! https://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/
Works :). It's indeed a pretty good idea .

Patrik Dufresne marked this as fixed in 2.4.9 with commit ee98e5 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

prefs_general.html#L1-L30 has been validated

to join this conversation