No Password Policy at all during Registration and and Password Change allows Account Takeover Exploitation in thorsten/phpmyfaq
Reported on
Jan 22nd 2023
Dear Ladies and Gentlemen,
First of all thank you for your time and effort reading my Report.
While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability.
This is due no passport policy is available. The User is has not any strong password policy or least amount of characters to submit as a password. Therefore the user can submit “1” as a Password and it will be accepted. After that an attacker can easily guess and automate the process of guessing the correct password due to the weak Password.
The Process of the Vulnerability:
- Login
- Go to https://roy.demo.phpmyfaq.de/admin/?action=user&user_action=listallusers
- Change the Password or generate a new User
- Set his Password but the System is not requiring any kind of least characters at all
- Set the Password to 1 and login with it Example for the HTML Code: Password: 1
The Attacker can therefore automate the Process of Password Finding though Burp Suite Intruder due to the weak Password.
Mitigation: Please set the least amount of characters to be submitted for example 8 characters. Do not allow to set the password to 1 or easy guessable Password like username.
At the End I want to thank you for your time and effort and hope hearing from you soon.
Best regards Ahmed Hassan
Impact
Dear Ladies and Gentlemen,
First of all thank you for your time and effort reading my Report.
While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability.
This is due no passport policy is available. The User is has not any strong password policy or least amount of characters to submit as a password. Therefore the user can submit “1” as a Password and it will be accepted. After that an attacker can easily guess and automate the process of guessing the correct password due to the weak Password.
The Process of the Vulnerability:
- Login
- Go to https://roy.demo.phpmyfaq.de/admin/?action=user&user_action=listallusers
- Change the Password or generate a new User
- Set his Password but the System is not requiring any kind of least characters at all
- Set the Password to 1 and login with it Example for the HTML Code: Password: 1
The Attacker can therefore automate the Process of Password Finding though Burp Suite Intruder due to the weak Password.
Mitigation: Please set the least amount of characters to be submitted for example 8 characters. Do not allow to set the password to 1 or easy guessable Password like username.
At the End I want to thank you for your time and effort and hope hearing from you soon.
Best regards Ahmed Hassan
Good Morning,
I hope you are okay. I wanted to mention that my Brother Josef Hassan (mohammedzidan99@gmail.com) was part of identifying this Vulnerability.
Therefore, I will be more than happy if you can put his Name and (E-Mail Address as a Security Researcher with me.
I would appreciate hearing from you soon and wish you a wonderful day.
Best regards Ahmed Hassan