Bug #14277
fermé
Password policy enforcement bypass
100%
Description
When creating an account or changing password, a request is made to check that the password complies with existing password policies and then a separate request is made to create the account. No check is made to ensure that the password that is tested for compliance to password policy matches the one that is submitted for account creation meaning that by manipulating the second request, you could set a password to '1' or a similarly noncomplex password.
Mis à jour par Miguel Moquillon il y a 4 mois
- Assigné à mis à Miguel Moquillon
- Version cible mis à Version 6.4.2
Mis à jour par Miguel Moquillon il y a 4 mois
- Statut changé de In progress... à Resolved
- % réalisé changé de 0 à 100
- The first one is to check the password satisfies all the password rules;
- The last one is to save effectively the password.
In order to avoid a mismatch between the password that was checked and the one that has to be saved, the password to save is compared to the checked one. For doing, the checked password is cached under an auto generated key. The client asking to effectively save the new password has to pass this key. If this key is invalid or not provided, then an error is sent back. If the checked password doesn't match the password to save, an error is also sent back. By this way, with a double verification, we ensure to block any attempts to circumvent the process of password change/set.
See PR https://github.com/Silverpeas/Silverpeas-Core/pull/1352
Mis à jour par Miguel Moquillon il y a 3 mois
- Statut changé de Resolved à Closed
Merged into the branches 6.4.x and master