No Rate Limit On Reset Password in froxlor/froxlor

Valid

Reported on

Feb 11th 2023

Description

A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. (wikipedia) I just realize that on the reset password page, the request has no rate limit which then can be used to loop through one request

Proof of Concept

VIDEO POC https://drive.google.com/file/d/1FhvPexy9NwpFD6kMTvYlXMc7xvwfhnci/view?usp=sharing

Steps To Reproduce:

  1. Go to https://demo.froxlor.org/admin_index.php?page=change_password
  2. change old and new password
  3. Intercept request in burpsuite suite and repeate same request 100 times
  4. Once introder attack is completed then try to relogin with new password.

Result: There are 2 seurity issues observed

  1. Application allowed to change same old and new password
  2. There is no rate limit on password change functionality

Impact

Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.

We are processing your report and will contact the froxlor team within 24 hours. 3 months ago
We have contacted a member of the froxlor team and are waiting to hear back 3 months ago
Michael
3 months ago

Why set Privileged required to none when "Changing password" is clearly an authenticated action?

Mohammed
3 months ago

Researcher

Sorr! Yes it's an authenticated action. Please change the privileged required to yes.

Michael Kaufmann modified the Severity from High (7.4) to Medium (6.8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability 3 months ago
Mohammed A. Siledar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohammed
3 months ago

Researcher

Hey @Michael, thank you. Is it possible to get a CVE assigned for this? thanks

Mohammed
3 months ago

Researcher

Humble request to include below emails while assigning CVE. Mohammed A.Siledar(earth22sky@gmail.com) and Mohammed Naushad s(9shad71@gmail.com)

Michael
3 months ago

This is nothing we control, ask the huntr.dev guys on how this is handled

Mohammed
3 months ago

Researcher

@admin could you help on above request?

Ben Harvie
3 months ago

Admin

Hi, earth2sky you will be credited within the CVE with your username. Check out CVEs assigned in the hacktivity for some examples.

@maintainer, you have the power to assign a CVE once you mark the vulnerability as fixed, you can update the CVE description to your liking during this process.

Thanks:)

Mohammed
3 months ago

Researcher

any updates?

Michael
3 months ago

no, we are an open source project which is done in spare time, currently there is not much time, sorry. I've already acknowledged this and it will be addressed

Michael Kaufmann marked this as fixed in 2.0.16 with commit 167967 23 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on May 12th 2023
admin_index.php#L199-L210 has been validated
Michael Kaufmann published this vulnerability 14 days ago
to join this conversation