weak Password Policy Directory Protection in froxlor/froxlor

Valid

Reported on

Jan 28th 2023

Hello,

The strong Password Policy is everywhere in place.

BUT

The Directory Protection Part allows to bypass this strong Password Policy and setting a Password like

This is very easy to bruteforce.

Lets see :)

Password is set to 1 and it will get accepted.

As you can see the Password got accepted.

Lets try it on another Place where the strong Password Policy is in Place

FTP is setting a strong password policy and not allowing the password 1

Thank you for watching :)

Best regards Ahmed Hassan

Impact

Hello,

The strong Password Policy is everywhere in place.

BUT

The Directory Protection Part allows to bypass this strong Password Policy and setting a Password like

This is very easy to bruteforce.

Lets see :)

Password is set to 1 and it will get accepted.

As you can see the Password got accepted.

Lets try it on another Place where the strong Password Policy is in Place

FTP is setting a strong password policy and not allowing the password 1

Thank you for watching :)

Best regards Ahmed Hassan

References

weak Password Policy Directory Protection

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago

Michael Kaufmann validated this vulnerability 2 months ago

ahmedvienna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ahmedvienna

commented 2 months ago

Researcher

Hello can you assign it a CVE please.

Michael Kaufmann marked this as fixed in 2.0.10 with commit 2a84e9 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 29th 2023

Michael Kaufmann published this vulnerability 2 months ago

ahmedvienna

commented 2 months ago

Researcher

Hello

Why can i not see the CVE on NIST it tells me the CVE has not been found.

https://nvd.nist.gov/vuln/detail/CVE-2023-0564

ahmedvienna

commented 2 months ago

Researcher

Hello,

I just have a question please can you assign the CVE to 2 Persons or more ?

Cause we worked on many Vulnerabilities together.

Would this be possible ?

Thank you

to join this conversation

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago

Michael Kaufmann validated this vulnerability 2 months ago

ahmedvienna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ahmedvienna

commented 2 months ago

Researcher

Hello can you assign it a CVE please.

Michael Kaufmann marked this as fixed in 2.0.10 with commit 2a84e9 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 29th 2023

Michael Kaufmann published this vulnerability 2 months ago

ahmedvienna

commented 2 months ago

Researcher

Hello

Why can i not see the CVE on NIST it tells me the CVE has not been found.

https://nvd.nist.gov/vuln/detail/CVE-2023-0564

ahmedvienna

commented 2 months ago

Researcher

Hello,

I just have a question please can you assign the CVE to 2 Persons or more ?

Cause we worked on many Vulnerabilities together.

Would this be possible ?

Thank you

to join this conversation