No Protection against Bruteforce attacks on Login page in kiwitcms/kiwi
Valid
Reported on
Dec 3rd 2022
Description Webpage manager does not limit unsuccessful login attempts allowing Brute Forcing.
Proof of Concept
- Register the account.
- Logout the account and try to login with the different password.
- Take the request into Burp suite intruder, set the payload list to 30(for testing).
- The server is accepting each request and it not limiting the response.
The server should have block the continues request to avoid the DOS attacks. and eventually we can login with the correct password without any blocking message.
# Impact
The impact is unlimited password attempts leading to Brute Force attacks on the login page.
Occurrences
views.py L47
Sorry i could not find the correct permalink.
We are processing your report and will contact the
kiwitcms/kiwi
team within 24 hours.
6 months ago
We have contacted a member of the
kiwitcms/kiwi
team and are waiting to hear back
6 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on
Feb 20th 2023
views.py#L47
has been validated
to join this conversation