/

Weak policy at Change password function in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 11th 2022

Description

BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function.

Steps to reproduce

1.Login then go to the Change password page (https://book.dansmonorage.blue/preferences/password)
2.Enter a character (for example: 1) in the new password field and the same in the confirm password field
3.You will see that the password has been changed successfully.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

Suggestion

BookWyrm should apply more strict policy in changing password such as the password length must be more than or equal to 8, at least 1 special character, at least 1 number, at least one capital character,...

Occurrences

change_password.py L14-L49

password.py L1-L83

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 23 days ago

Mouse Reeve validated this vulnerability 23 days ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve confirmed that a fix has been merged on 137311 23 days ago

The fix bounty has been dropped

change_password.py#L14-L49 has been validated

password.py#L1-L83 has been validated

to join this conversation

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 23 days ago

Mouse Reeve validated this vulnerability 23 days ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve confirmed that a fix has been merged on 137311 23 days ago

The fix bounty has been dropped

change_password.py#L14-L49 has been validated

password.py#L1-L83 has been validated

to join this conversation