[jira] [Commented] (JSPWIKI-80) Ounce Labs Security Finding: Authentication - Password Policy Rules Not Available

Thu, 13 Nov 2025 05:13:05 -0800 


    [ 
https://issues.apache.org/jira/browse/JSPWIKI-80?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18038029#comment-18038029
 ] 

Alex O'Ree commented on JSPWIKI-80:
-----------------------------------

does this meet the need?
https://github.com/apache/jspwiki/pull/433

> Ounce Labs Security Finding: Authentication - Password Policy Rules Not 
> Available
> ---------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-80
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-80
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Andrew R. Jaquith
>            Priority: Major
>             Fix For: STRIPES/JCR-3.1
>
>         Attachments: report.pdf
>
>
> Description: 
> The application currently does not provide the means for application 
> administrators to enforce strong password policies.  Without strong password 
> policies, it is highly likely that end users will select weak passwords and 
> the application will allow the use of these weak passwords. If usability 
> requirements dictate allowing of weaker passwords, it is still desirable for 
> certain JSPWiki administrators to have this configurable option of enforcing 
> certain password policies.  Currently the only enforcement in place is that 
> the password can not be null or be that of the username.
> Recommendation:
> Consider implementing the capability to allow for JSPWiki administrators the 
> capability to enforce stronger password complexity policies.  For example, 
> consider password length, character enforcement rules dictating special 
> characters, etc. 
> Related Code Locations: 
> 1 findings:
>   Name:           
> com.ecyrd.jspwiki.auth.UserManager.validateProfile(com.ecyrd.jspwiki.WikiContext;com.ecyrd.jspwiki.auth.user.UserProfile):void
>   Type:           Vulnerability.Authentication
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
>   Line / Col:     425 / 0
>   Context:        password . java.lang.String.equals ( password2 )
>     -----------------------------------



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to