Projet

Général

Profil

Actions

Bug #14277

fermé

Password policy enforcement bypass

Ajouté par Nate McGraw il y a 5 mois. Mis à jour il y a 4 mois.

Statut:
Closed
Priorité:
Normal
Assigné à:
Catégorie:
-
Début:
24/07/2024
Echéance:
% réalisé:

100%

Temps estimé:
Navigateur:
Firefox
Votre version de Silverpeas:
6.3
Système d'exploitation:
Votre base de données:
Toutes
Livraison en TEST:
Livraison en PROD:

Description

When creating an account or changing password, a request is made to check that the password complies with existing password policies and then a separate request is made to create the account. No check is made to ensure that the password that is tested for compliance to password policy matches the one that is submitted for account creation meaning that by manipulating the second request, you could set a password to '1' or a similarly noncomplex password.

Mis à jour par Miguel Moquillon il y a 5 mois

  • Assigné à mis à Miguel Moquillon
  • Version cible mis à Version 6.4.2

Mis à jour par Miguel Moquillon il y a 5 mois

  • Statut changé de New à In progress...

Mis à jour par Miguel Moquillon il y a 5 mois

  • Statut changé de In progress... à Resolved
  • % réalisé changé de 0 à 100
The change/set of a password is made within two steps (two requests from the client):
  • The first one is to check the password satisfies all the password rules;
  • The last one is to save effectively the password.

In order to avoid a mismatch between the password that was checked and the one that has to be saved, the password to save is compared to the checked one. For doing, the checked password is cached under an auto generated key. The client asking to effectively save the new password has to pass this key. If this key is invalid or not provided, then an error is sent back. If the checked password doesn't match the password to save, an error is also sent back. By this way, with a double verification, we ensure to block any attempts to circumvent the process of password change/set.

See PR https://github.com/Silverpeas/Silverpeas-Core/pull/1352

Mis à jour par Miguel Moquillon il y a 4 mois

  • Statut changé de Resolved à Closed

Merged into the branches 6.4.x and master

Actions

Formats disponibles : Atom PDF