No Protection against Bruteforce attacks on Login page in kiwitcms/kiwi

Valid

Reported on

Dec 3rd 2022

Description Webpage manager does not limit unsuccessful login attempts allowing Brute Forcing.

Proof of Concept

Register the account.
Logout the account and try to login with the different password.
Take the request into Burp suite intruder, set the payload list to 30(for testing).
The server is accepting each request and it not limiting the response.

The server should have block the continues request to avoid the DOS attacks. and eventually we can login with the correct password without any blocking message.



# Impact

The impact is unlimited password attempts leading to Brute Force attacks on the login page.

Occurrences

views.py L47

Sorry i could not find the correct permalink.

References

https://huntr.dev/bounties/f0d85efa-4e78-4b1d-848f-edea115af64b/

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 4 months ago

We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 4 months ago

A kiwitcms/kiwi maintainer validated this vulnerability a month ago

spyata has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A kiwitcms/kiwi maintainer marked this as fixed in 12.0 with commit 0ed213 a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 20th 2023

views.py#L47 has been validated

A kiwitcms/kiwi maintainer published this vulnerability a month ago

to join this conversation