Using application logic to create an email spam attack in ikus060/rdiffweb

Valid

Reported on

Oct 3rd 2022

Description

On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack

Proof of Concept

Pre-Requisites: 2FA must be enabled for  your account 

1) Go to https://rdiffweb-dev.ikus-soft.com/login/ and login using credentials
2) You will now have to enter MFA code
3) Bruteforce this code , its indeed an 8 digit code (~100 million combinations required) . Every third incorrect attempt will trigger a new code to the email , which will indeed result in an email spam attack




# Impact

This will result in an email spam attack and will also impose an extra cost to your company's mail server

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago

We have sent a follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago

Patrik Dufresne assigned a CVE to this report a year ago

Patrik Dufresne modified the Severity from Medium (6.1) to Medium (5.6) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Patrik Dufresne validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne marked this as fixed in 2.5.0 with commit b78ec0 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability a year ago

to join this conversation