Password Complexity Not Enforced On Password Change
Low
O
ownCloud
Submitted None
Actions:
Reported by
cosmopolitan_fi
Vulnerability Details
Technical details and impact analysis
Hi!
Owncloud does not enforce password complexity on password change, so it's possible to use passwords of any size or form.
In example I can set my password to be "a" or "qwerty".
__________________________________________________________________
How to reproduce:
Change your password to something that does not match your required complexity.
__________________________________________________________________
__________________________________________________________________
Proof Of Concept:
Login with my dummy account
account --> "[email protected]"
password --> "q"
__________________________________________________________________
Thanks!
WdeM
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Violation of Secure Design Principles