Insufficient Granularity of Access Control in thedevdojo/wave

Valid

Reported on

Oct 9th 2021


Description:

There is no rate limit sent unlimited email victim or any email address.

Proof of Concept:

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

Impact:

Attacker can sent unlimited email to any mail address .

Solution:

Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.

References:

https://apisecurity.io/encyclopedia/content/owasp/api4-lack-of-resources-and-rate-limiting.htm

Ziding Zhang
2 months ago

Admin


Hey HDVinnie, I've opened a PR asking for a security policy.

HDVinnie
2 months ago

Researcher


@Ziding Zhang thanks. Looks like the PR has been accepted. Hopefully the maintainer will get an email now and respond here.

HDVinnie
2 months ago

Researcher


@admin the PR has been merged with a valid email address....can you please force send the disclosure email with the magic link?

Iskam Website validated this vulnerability a month ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Iskam Website confirmed that a fix has been merged on 6201d6 a month ago
Iskam Website has been awarded the fix bounty