Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in.
🕵️♂️ Proof of Concept
- Spin up an instance of Koel.
- Open up burpsuite and capture a login request, send it to intruder, set your options and run.
- 401 is shown when invalid, 200 is shown when valid.
This can lead to full account takeover, including admin accounts which have dangerous permissions.
- Implement max login attempts
- Implement a password strength policy