Improper Restriction of Excessive Authentication Attempts in firefly-iii/firefly-iii
Reported on
Jul 21st 2021
Improper Restriction of Excessive Authentication Attempts. The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
STEPS FOR REPRODUCTION:
1)Go to https://demo.firefly-iii.org/login 2)Enter the username and password 3)Capture the request 4)Set the field for password and start bruteforcing the password
I was able to brute force the password with a list of around 200+ usernames, the no. of attempts must be reduced to less than 10
💥 Impact
This vulnerability is capable of, if the attacker uses the correct password list, it can lead to account takeovers.
Occurrences
Nice find, should be fixed now on the demo site. Fix will be part of the next release.
@James - the content of the CVE to be published:
https://github.com/418sec/cvelist/blob/CVE-2021-3663/2021/3xxx/CVE-2021-3663.json
hi, is the disclosure bounty for this program $0 or $80, because I can saw 80$ while searching for this program
hi @admin is the disclosure bounty for this program $0 or $80, because I saw 80$ while searching for this program
@sudheendra17 - this was given a bounty reward of $0 as the CWE type / vulnerability type is blacklisted. This is because it is non-code vulnerability type. Feel free to read our disclosure policy for more information:
@James - the CVE is now pending, and should be published shortly by the CVE team.