No Rate Limit On Reset Password in froxlor/froxlor

Valid

Reported on

Feb 11th 2023


Description

A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. (wikipedia) I just realize that on the reset password page, the request has no rate limit which then can be used to loop through one request

Proof of Concept

VIDEO POC https://drive.google.com/file/d/1FhvPexy9NwpFD6kMTvYlXMc7xvwfhnci/view?usp=sharing

Steps To Reproduce:

  1. Go to https://demo.froxlor.org/admin_index.php?page=change_password
  2. change old and new password
  3. Intercept request in burpsuite suite and repeate same request 100 times
  4. Once introder attack is completed then try to relogin with new password.

Result: There are 2 seurity issues observed

  1. Application allowed to change same old and new password
  2. There is no rate limit on password change functionality

Impact

Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.

We are processing your report and will contact the froxlor team within 24 hours. a year ago
We have contacted a member of the froxlor team and are waiting to hear back a year ago
Michael
a year ago

Maintainer


Why set Privileged required to none when "Changing password" is clearly an authenticated action?

Mohammed
a year ago

Researcher


Sorr! Yes it's an authenticated action. Please change the privileged required to yes.

Michael Kaufmann modified the Severity from High (7.4) to Medium (6.8) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability a year ago
earth2sky has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohammed
a year ago

Researcher


Hey @Michael, thank you. Is it possible to get a CVE assigned for this? thanks

Mohammed
a year ago

Researcher


Humble request to include below emails while assigning CVE. Mohammed A.Siledar(earth22sky@gmail.com) and Mohammed Naushad s(9shad71@gmail.com)

Michael
a year ago

Maintainer


This is nothing we control, ask the huntr.dev guys on how this is handled

Mohammed
a year ago

Researcher


@admin could you help on above request?

Ben Harvie
a year ago

Admin


Hi, earth2sky you will be credited within the CVE with your username. Check out CVEs assigned in the hacktivity for some examples.

@maintainer, you have the power to assign a CVE once you mark the vulnerability as fixed, you can update the CVE description to your liking during this process.

Thanks:)

Mohammed
a year ago

Researcher


any updates?

Michael
a year ago

Maintainer


no, we are an open source project which is done in spare time, currently there is not much time, sorry. I've already acknowledged this and it will be addressed

Michael Kaufmann marked this as fixed in 2.0.16 with commit 167967 10 months ago
The fix bounty has been dropped
admin_index.php#L199-L210 has been validated
This vulnerability has now been published 9 months ago
to join this conversation