Weak Password Requirement in thorsten/phpmyfaq

Valid

Reported on

Oct 20th 2022

Description

We can change password with just 1 character when we use change password function.

Proof of Concept

When you change password, just press an charactor and then submit. Your password has been changed.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago

Hoang Van Hiep modified the report

a month ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a month ago

Thorsten Rinne validated this vulnerability a month ago

Hoang Van Hiep has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne gave praise a month ago

Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Hoang Van Hiep

commented a month ago

Researcher

Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. a month ago

Thorsten Rinne

commented a month ago

Maintainer

@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d a month ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Thorsten Rinne published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago

Hoang Van Hiep modified the report

a month ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a month ago

Thorsten Rinne validated this vulnerability a month ago

Hoang Van Hiep has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne gave praise a month ago

Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Hoang Van Hiep

commented a month ago

Researcher

Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. a month ago

Thorsten Rinne

commented a month ago

Maintainer

@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d a month ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Thorsten Rinne published this vulnerability a month ago

to join this conversation