No password brute-force protection on login page in hay-kot/mealie

Valid

Reported on

Jul 28th 2022


Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction.

Proof of Concept

  1. 1 - Send a login request of the target user
POST /api/auth/token HTTP/1.1
Host: localhost:9091
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLDx5Wjaf8w8QGFao

------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="username"

admin@email.com
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="password"

password
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="remember_me"

false
------WebKitFormBoundaryLDx5Wjaf8w8QGFao--
  1. 2 - Capture and replay the login request with a different password everytime bruteforce

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. 2 months ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back 2 months ago
Hayden validated this vulnerability 2 months ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the hay-kot/mealie team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the hay-kot/mealie team. We will try again in 10 days. 2 months ago
Hayden confirmed that a fix has been merged on b3c41a 2 months ago
Hayden has been awarded the fix bounty
auth.py#L50-L65 has been validated
to join this conversation