No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself in ikus060/rdiffweb

Valid

Reported on

Sep 29th 2022

Description

When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails through this vulnerability which will add up to your cost as well

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Click on enable 2FA  . A verification link will be sent to your email
3) You will see a "Resend code to my email button" click on it and capture the request using the burpsuite proxy
4) Send this request to your burpsuite intuder and fire the same payload 1000 times
5) The registered email will receive 1000 email with verification codes




# Impact

An attacker can abuse this bug by :
1)Causing an impact to the user - Scenario: The user left his account open in a library , he can perform the above steps to cause an email spam
2) Adding an extra cost to the company mail server
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne validated this vulnerability a year ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nehal Pillai
a year ago

Researcher

@admin @maintainer can we assign a CVE for this issue as well?

Patrik Dufresne
a year ago

Maintainer

@nehalr777 Seams their is a ratelimit on this endpoint. 30 request per minute then 429 is raise.

The threshold seams a bit high considering. I might reduce this default to a sane value. Do you have any recommendation ?

Nehal Pillai
a year ago

Researcher

Sir,I was successfully able to trigger 100 emails without any problem

Nehal Pillai
a year ago

Researcher

Yes reducing the the threshold to 10 maybe a great idea

Nehal Pillai
a year ago

Researcher

The issue here is that an attacker is able to send 30 requests per minute(60 secs) ~1 request per 2 seconds . Burpsuite is an Amazing tool that allows you to configure the time between each request, an attacker can easily carry out an attack .

Now we could allow 10-15 email triggers every 10 mins(6000 secs) I believe that should be enough to get this issue fixed

Nehal Pillai
a year ago

Researcher

Sorry , i mistyped the value 10 mins(600 seconds)

So an attacker will be able to trigger at max just 10-15 requests in the span of 600 seconds that limits this issue from occurring.

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago
Patrik Dufresne
a year ago

Maintainer

@admin could we assign a CVE to this repport

Nehal Pillai
a year ago

Researcher

@admin could we please assign a CVE for this as requested by the @maintainer?

We have sent a second fix follow up to the ikus060/rdiffweb team. We will try again in 10 days. a year ago
Patrik Dufresne marked this as fixed in 2.5.0 with commit b78ec0 a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nehal Pillai
a year ago

Researcher

@maintainer could we make this report public?

Patrik Dufresne published this vulnerability a year ago
to join this conversation