Allocation of Resources Without Limits or Throttling in koel/koel

Reported on May 20th 2021

✍️ Description

Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in.

🕵️‍♂️ Proof of Concept

  • Spin up an instance of Koel.
  • Open up burpsuite and capture a login request, send it to intruder, set your options and run.
  • 401 is shown when invalid, 200 is shown when valid.

💥 Impact

This can lead to full account takeover, including admin accounts which have dangerous permissions.

💡 Mitigation

  • Implement max login attempts
  • Implement a password strength policy