search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.6k stars 2.62k forks source link

Application allowing old password to be set as new password at $username.matomo.cloud #19839

Open niteshpatel798 opened 1 year ago

niteshpatel798 commented 1 year ago

Hi Team,

I found an issue that your application is allowing user to set new password same as that of the old password.

Summary

As per secure password policy application should not allow same old password value to be used in setting new password value cos there might be possibility that old password might be exposed or leaked to an adversary so its advisable on application end to enforce strong password policy and should implement check to not to allow user to set old password value in new password value.

Step to Reproduce

1- Go to https://username.matomo.cloud/ 2- Click on Lost password 3- enter old password as new password site accept and logged you in 4- Don't need to chek email and Authorized your password change request

Reference

https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007) https://github.com/WeblateOrg/weblate/commit/035730cac8029017e57996e2a78fd24ef84e0b5f

Impact

The problem is that,today attackers are accessing particular user account by knowing his other account passwords in other sites and also by knowing the old passwords used by him, So allowing users to set old password is some what a typical issue.

sgiehl commented 1 year ago

Thanks for creating this report @niteshpatel798 Our product team will consider this for future improvements.