| Title | Weak Password Policy in Employee Leaves Management System v1.0 |
|---|
| Description | # DESCRIPTION
The impact of weak password policy in Employee Leaves Management System V.1.0 is that it increases the risk of unauthorized access to sensitive employee information and leaves records. An attacker could easily guess or crack weak passwords, leading to unauthorized access and potential theft or alteration of sensitive data. Implementing a strong password policy is crucial to ensure the security and privacy of employee information.
# VULNERABILITY-TYPE : CWE-521: Weak Password Requirements
# VENDOR OF THE PRODUCT : PHPGURUKUL
# AFFECTED PRODUCT : Employee Leaves Management System
# VERSION: 1.0
# ATTACK TYPE : REMOTE
# AFFECTED COMPONENTS: SOURCE-CODE(changepassword.php )
# ATTACK VECTOR: CHANGE PASWORD (newpassword, confirmpassword parameter)
# STEPS_TO_REPRODUCE
```
1. First login into the Admin Account by giving above Credentials
2. Then from the Left panel select `chnage Password` you will be redirected to this url:`[http://localhost/elms/admin/changepassword.php](http://localhost/elms/admin/changepassword.php)`
3. Then change the password with the same password or say if you give `1` as a password it will take it and update the password , so there is no strong password policy
```
# REFERENCES
https://cwe.mitre.org/data/definitions/521.html
# VIDEO-POC
GITHUB-REPO-LINK : https://github.com/ctflearner/Vulnerability/blob/main/Employee%20Leaves%20Management%20System/ELMS.md
|
|---|
| Source | ⚠️ https://phpgurukul.com/employee-leaves-management-system-elms/ |
|---|
| User | Affan (UID 39417) |
|---|
| Submission | 01/30/2023 18:02 (3 years ago) |
|---|
| Moderation | 02/02/2023 09:16 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 220021 [PHPGurukul Employee Leaves Management System 1.0 changepassword.php newpassword/confirmpassword weak password] |
|---|
| Points | 20 |
|---|