New password can be set as same as the old password in instantsoft/icms2

Valid

Reported on

Aug 14th 2023

Description

The web application allows us to set new password as the old one at Password change function.

Detail:

1/ Access to the demo website and go to My profile.

2/ Choose Edit profile, at the Security tab, change the password with the new password and the old password are the same.

3/ Logout and login again to verify that it's successful.

Proof of Concept

Link video PoC: https://drive.google.com/file/d/1b-iMln3MIowU1LAz9DiZtxygPpEz9oNJ/view?usp=sharing

Impact

If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced

Occurrences

profile_edit_password.php L4

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

Fuze

commented a month ago

Maintainer

CWE-620 does not fit the described problem. But in general you are right, you can't let them change the password to what it was before. I'm not sure it can be considered a security issue.

Chuu

commented a month ago

Researcher

Hi @Fuze, I think it is also a security issue. If following OWASP checklist, it will be WSTG-ATHN-07 Testing for Weak Password Policy. Whatever you decide, I respect it. Thank you.

Fuze validated this vulnerability a month ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze marked this as fixed in 2.16.1-git with commit 58f8b9 a month ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

Fuze published this vulnerability a month ago

profile_edit_password.php#L4 has been validated

Fuze gave praise a month ago

Thank you.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Chuu

commented a month ago

Researcher

Thank you too

to join this conversation

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

Fuze

commented a month ago

Maintainer

CWE-620 does not fit the described problem. But in general you are right, you can't let them change the password to what it was before. I'm not sure it can be considered a security issue.

Chuu

commented a month ago

Researcher

Hi @Fuze, I think it is also a security issue. If following OWASP checklist, it will be WSTG-ATHN-07 Testing for Weak Password Policy. Whatever you decide, I respect it. Thank you.

Fuze validated this vulnerability a month ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze marked this as fixed in 2.16.1-git with commit 58f8b9 a month ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

Fuze published this vulnerability a month ago

profile_edit_password.php#L4 has been validated

Fuze gave praise a month ago

Thank you.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Chuu

commented a month ago

Researcher

Thank you too

to join this conversation