Password can be set extremely weak in ikus060/rdiffweb
Sep 9th 2022
In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 (Or any charater). There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password.
Proof of Concept
Access to the demo website and login as an admin. Add user with password 1 or any charater (short, weak) Try to login with the new user and it succeed.
With normal user, login and try to change password function, it also succeed.
Be able to get all user's accounts with weak password by bruteforce attack.