Atjiu Pybbs Weak Password Policy Vulnerability in UserAdminController

A critical vulnerability exists in Atjiu Pybbs versions up to 6.0.0, specifically in the UserAdminController.java file. The issue arises in the 'update' function, where password requirements are insufficiently enforced. This flaw allows users to create accounts with weak passwords, potentially consisting of a single digit. Such lax requirements can lead to account compromises through password guessing or brute-force attacks. The vulnerability can be exploited remotely, and while the exploitation is considered difficult, a public exploit is available.

Impact

Exploitation of this vulnerability allows for the creation of accounts with weak passwords, increasing the risk of account compromise through guessing or brute-force methods.

Reproduction

To reproduce this vulnerability, register a new account on an Atjiu Pybbs instance running a version prior to 6.0.0. During the registration process, enter a password that does not meet typical security standards, such as a single digit. The account will be created successfully, demonstrating the lack of a robust password policy.

Remediation

Users are advised to update to the latest version of Atjiu Pybbs, where this vulnerability has been addressed.