We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

No password brute-force protection on login page in hay-kot/mealie

Valid

Reported on

Jul 28th 2022

Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction.

Proof of Concept

  1. 1 - Send a login request of the target user
POST /api/auth/token HTTP/1.1
Host: localhost:9091
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLDx5Wjaf8w8QGFao

------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="username"

admin@email.com
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="password"

password
------WebKitFormBoundaryLDx5Wjaf8w8QGFao
Content-Disposition: form-data; name="remember_me"

false
------WebKitFormBoundaryLDx5Wjaf8w8QGFao--
  1. 2 - Capture and replay the login request with a different password everytime bruteforce

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. a year ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back a year ago
Hayden validated this vulnerability a year ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the hay-kot/mealie team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the hay-kot/mealie team. We will try again in 10 days. a year ago
Hayden marked this as fixed in nightly with commit b3c41a a year ago
Hayden has been awarded the fix bounty
This vulnerability will not receive a CVE
auth.py#L50-L65 has been validated
to join this conversation