No Rate Limit On Reset Password in froxlor/froxlor
Feb 11th 2023
A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. (wikipedia) I just realize that on the reset password page, the request has no rate limit which then can be used to loop through one request
Proof of Concept
VIDEO POC https://drive.google.com/file/d/1FhvPexy9NwpFD6kMTvYlXMc7xvwfhnci/view?usp=sharing
Steps To Reproduce:
- Go to https://demo.froxlor.org/admin_index.php?page=change_password
- change old and new password
- Intercept request in burpsuite suite and repeate same request 100 times
- Once introder attack is completed then try to relogin with new password.
Result: There are 2 seurity issues observed
- Application allowed to change same old and new password
- There is no rate limit on password change functionality
Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
Why set Privileged required to none when "Changing password" is clearly an authenticated action?
Sorr! Yes it's an authenticated action. Please change the privileged required to yes.
Hey @Michael, thank you. Is it possible to get a CVE assigned for this? thanks
Humble request to include below emails while assigning CVE. Mohammed A.Siledar(firstname.lastname@example.org) and Mohammed Naushad s(email@example.com)
This is nothing we control, ask the huntr.dev guys on how this is handled
@admin could you help on above request?
Hi, earth2sky you will be credited within the CVE with your username. Check out CVEs assigned in the hacktivity for some examples.
@maintainer, you have the power to assign a CVE once you mark the vulnerability as fixed, you can update the CVE description to your liking during this process.
no, we are an open source project which is done in spare time, currently there is not much time, sorry. I've already acknowledged this and it will be addressed