No password brute-force protection on login page in hay-kot/mealie

Valid

Reported on

Jul 28th 2022


Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction.

Proof of Concept

  1. 1 - Send a login request of the target user
POST /api/auth/token HTTP/1.1
Host: localhost:9091
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLDx5Wjaf8w8QGFao

------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="username"

admin@email.com
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="password"

password
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="remember_me"

false
------WebKitFormBoundaryLDx5Wjaf8w8QGFao--
  1. 2 - Capture and replay the login request with a different password everytime bruteforce

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back 2 years ago
Hayden validated this vulnerability 2 years ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the hay-kot/mealie team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the hay-kot/mealie team. We will try again in 10 days. 2 years ago
Hayden marked this as fixed in nightly with commit b3c41a 2 years ago
Hayden has been awarded the fix bounty
auth.py#L50-L65 has been validated
to join this conversation