weak Password Policy while creating a new User with the Admin Account in thorsten/phpmyfaq

Valid

Reported on

Mar 10th 2023

Hello,

I was able to detect weak Password Policy while allowing an administrator to create a new account.

Lets create an account, set the Password to 1 and login with it.

As you can see its number 1. When i click set it will not accept

We need to specify that the user will change his password after login.

Then the password field will be hidden and the password 1 will be accepted.

Lets see.

User created successfully with a weak password policy and password 1 -> lets try to login.

user: ahmed2 pass: 1

we are successfully logged in

Thank you for watching.

Impact

Hello,

I was able to detect weak Password Policy while allowing an administrator to create a new account.

Lets create an account, set the Password to 1 and login with it.

As you can see its number 1. When i click set it will not accept

We need to specify that the user will change his password after login.

Then the password field will be hidden and the password 1 will be accepted.

Lets see.

User created successfully with a weak password policy and password 1 -> lets try to login.

user: ahmed2 pass: 1

we are successfully logged in

Thank you for watching.

References

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago

Thorsten Rinne validated this vulnerability 6 months ago

ahmedvienna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.12 with commit f612a7 6 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 6 months ago

to join this conversation