No Password Policy at all during Registration and and Password Change allows Account Takeover Exploitation

Dear Ladies and Gentlemen,

First of all thank you for your time and effort reading my Report.

While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability.

This is due no passport policy is available. The User is has not any strong password policy or least amount of characters to submit as a password. Therefore the user can submit “1” as a Password and it will be accepted. After that an attacker can easily guess and automate the process of guessing the correct password due to the weak Password.

The Process of the Vulnerability:

1. Login
2. Go to https://roy.demo.phpmyfaq.de/admin/?action=user&user_action=listallusers
3. Change the Password or generate a new User
4. Set his Password but the System is not requiring any kind of least characters at all
5. Set the Password to 1 and login with it
   Example for the HTML Code:
   Password: 1

The Attacker can therefore automate the Process of Password Finding though Burp Suite Intruder due to the weak Password.

Mitigation:
Please set the least amount of characters to be submitted for example 8 characters.
Do not allow to set the password to 1 or easy guessable Password like username.

At the End I want to thank you for your time and effort and hope hearing from you soon.

Best regards
Ahmed Hassan