weak Password Policy while creating a new User with the Admin Account in thorsten/phpmyfaq

Valid

Reported on

Mar 10th 2023


Hello,

I was able to detect weak Password Policy while allowing an administrator to create a new account.

Lets create an account, set the Password to 1 and login with it.

As you can see its number 1. When i click set it will not accept

We need to specify that the user will change his password after login.

Then the password field will be hidden and the password 1 will be accepted.

Lets see.


User created successfully with a weak password policy and password 1 -> lets try to login.

user: ahmed2 pass: 1


we are successfully logged in

Thank you for watching.

Impact

Hello,

I was able to detect weak Password Policy while allowing an administrator to create a new account.

Lets create an account, set the Password to 1 and login with it.

As you can see its number 1. When i click set it will not accept

We need to specify that the user will change his password after login.

Then the password field will be hidden and the password 1 will be accepted.

Lets see.


User created successfully with a weak password policy and password 1 -> lets try to login.

user: ahmed2 pass: 1


we are successfully logged in

Thank you for watching.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago
Thorsten Rinne validated this vulnerability 6 months ago
ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit f612a7 6 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 6 months ago
to join this conversation