strong Password Policy Bypass through removing a specific Parameter and setting the Passwort to 1 in modoboa/modoboa
Reported on
Mar 17th 2023
Hello,
i was able to detect another password security issue.
While changing the password the attacker can use the proxy and submit for example password as 1.
Altough there is a passwort policy restriction but i managed to bypass that.
Let me show you :)
The Password is now 2 lets change it to HACK
As you can see we have a password policy at least 8 characters with one digit.
Lets change the password to 1 by deleting the first newpassword and leaving the confirmation.
After that we will login with the passwort 1 to the app.
lets see :)
changed the passwort from 2 to 1 lets see the reply and output
profile and passwort accepted.
lets login with the username: user@demo.local adn PASS: 1
As you can see the password is 1 lets login.
as you can see we have logged in successfully.
Will show it you again.
Bypass for the strong password policy.
Thank you for watching :)
Impact
Hello,
i was able to detect another password security issue.
While changing the password the attacker can use the proxy and submit for example password as 1.
Altough there is a passwort policy restriction but i managed to bypass that.
Let me show you :)
The Password is now 2 lets change it to HACK
As you can see we have a password policy at least 8 characters with one digit.
Lets change the password to 1 by deleting the first newpassword and leaving the confirmation.
After that we will login with the passwort 1 to the app.
lets see :)
changed the passwort from 2 to 1 lets see the reply and output
profile and passwort accepted.
lets login with the username: user@demo.local adn PASS: 1
As you can see the password is 1 lets login.
as you can see we have logged in successfully.
Will show it you again.
Bypass for the strong password policy.
Thank you for watching :)
PR containing a fix: https://github.com/modoboa/modoboa/pull/2949
Can you validate it's working on your side first please?
Can you assign it a CVE ? :) Would me more than happy for that.
Best regards Ahmed Hassan
Good morning :),
Any updates regarding the Assigning of the CVE ?
Best regards Ahmed Hassan