[jira] Updated: (JSPWIKI-80) Ounce Labs Security Finding: Authentication - Password Policy Rules Not Available

Sun, 09 Aug 2009 12:12:38 -0700 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-80?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Janne Jalkanen updated JSPWIKI-80:
----------------------------------

    Fix Version/s:     (was: 3.0)
                   3.1

Postponing to 3.1; I'd like to make this a pluginizable component; perhaps done 
through a scripting framework (e.g. a local piece of script that gets run to 
validate the password; that would allow it to be configured very dynamically by 
the admin.)

> Ounce Labs Security Finding: Authentication - Password Policy Rules Not 
> Available
> ---------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-80
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-80
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Andrew Jaquith
>             Fix For: 3.1
>
>         Attachments: report.pdf
>
>
> Description: 
> The application currently does not provide the means for application 
> administrators to enforce strong password policies.  Without strong password 
> policies, it is highly likely that end users will select weak passwords and 
> the application will allow the use of these weak passwords. If usability 
> requirements dictate allowing of weaker passwords, it is still desirable for 
> certain JSPWiki administrators to have this configurable option of enforcing 
> certain password policies.  Currently the only enforcement in place is that 
> the password can not be null or be that of the username.
> Recommendation:
> Consider implementing the capability to allow for JSPWiki administrators the 
> capability to enforce stronger password complexity policies.  For example, 
> consider password length, character enforcement rules dictating special 
> characters, etc. 
> Related Code Locations: 
> 1 findings:
>   Name:           
> com.ecyrd.jspwiki.auth.UserManager.validateProfile(com.ecyrd.jspwiki.WikiContext;com.ecyrd.jspwiki.auth.user.UserProfile):void
>   Type:           Vulnerability.Authentication
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
>   Line / Col:     425 / 0
>   Context:        password . java.lang.String.equals ( password2 )
>     -----------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to