No Rate Limit On Reset Password in froxlor/froxlor
Feb 11th 2023
A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. (wikipedia) I just realize that on the reset password page, the request has no rate limit which then can be used to loop through one request
Proof of Concept
VIDEO POC https://drive.google.com/file/d/1FhvPexy9NwpFD6kMTvYlXMc7xvwfhnci/view?usp=sharing
Steps To Reproduce:
- Go to https://demo.froxlor.org/admin_index.php?page=change_password
- change old and new password
- Intercept request in burpsuite suite and repeate same request 100 times
- Once introder attack is completed then try to relogin with new password.
Result: There are 2 seurity issues observed
- Application allowed to change same old and new password
- There is no rate limit on password change functionality
Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.