Abdur-rahmaanJ
commented
3 months ago How was it introduced?
- Used default from another package, also partly because it was a small project at first
- Why remained unchanged? Did not focus on it till you bring this out today
Thanks a lot!
Hello shopcube developers,
We are a cybersecurity research group from the CISPA Helmholtz Center for Information Security and Caβ Foscari University of Venice. We recently conducted an analysis of the session management in web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.
Vulnerability Description:
With our analysis, we have identified that your application is not performing any password complexity checks upon user registration, it only checks that the password length is between 6 and 25 characters. This would allow users to set very weak passwords such as β123456β, which, in turn, would expose them to the risk of getting their accounts stolen. This is because weak passwords, in addition to being vulnerable to brute-force attacks, can also be easily guessed.
https://github.com/Abdur-rahmaanJ/shopcube/blob/ce1545706ac5d5e0facc720be3e7a346f8a168e3/src/shopcube/modules/box__default/auth/forms.py#L40
https://github.com/Abdur-rahmaanJ/shopcube/blob/ce1545706ac5d5e0facc720be3e7a346f8a168e3/src/shopcube/modules/box__ecommerce/shop/forms.py#L181
Recommendation for Mitigation:
We recommend adding the regexp validator (https://wtforms.readthedocs.io/en/3.1.x/validators/#wtforms.validators.Regexp), available in WTForms and Flask-WTF, in order to perform password complexity checks. By adding this validator, passwords will have to match a certain regular expression, otherwise they will be rejected. A simple regexp that could be used is the following: β^(?=.[A-Z])(?=.[a-z])(?=.\d)(?=.[@$!%?&])[A-Za-z\d@$!%?&]$β. This regexp checks for the presence of an uppercase, lowercase, digit and special character.
We hope this notification helps improve your security.
In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!
Should you have further questions or comments on this, feel free to answer this thread.
Kind regards, Simone