|Requires Admin Access:||Yes|
|Credit:||it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton|
The vulnerabilities in the user account management allow attackers to circumvent the access controls by brute-forcing weak passwords and using default users to gain possible access to administrative interface. The implementation of the password reset function allows a attacker to reset passwords and brute-force the newly set passwords easily without requiring access to the user’s mail address.
Dotcms installations can override the class/toolkit that is responsible for validating password complexity and generating random passwords. This is a “pluggable” implementaion and the issue with weak password generation can be resolved in a plugin. This can be done by providing a custom class and changing the system property to use it:
We agree that the default “random” password is too weak and will update the class accordingly. Additionally, the system user should not be able to authenticate ever, which will be fixed as well.
Workaround: many of our customers who have custom password security requirements authenticate their user accounts with LDAP or AD systems and leverage the security those systems can provide when enforcing password rules or securing user passwords.