Context Switching Race Condition in circuitverse/circuitverse

Valid

Reported on

Aug 24th 2021


✍️ Description

no rate limit allow to send unlimited email to any mail address

🕵️‍♂️ Proof of Concept

During forgot password there is no rate limit to send password-reset email which allow to send unlimited email to a mail address. bellow request is vulnerable to rate-limit bug

POST /users/password HTTP/2
Host: circuitverse.org
Cookie: ahoy_visitor=d2bc2d97-c241-4206-b410-430ad9b3719b; ahoy_visit=6565f39e-3719-4566-b746-bcd2f6505c3f; _logix_session=MAuX7x%2Bz8TNHnbiRIwNscgujjY6sP7L9rzzn4eT7AFt8xU%2B0O1E0YbVB8m%2FA3s06kZIuHoj6yZFknGQU0FP12tsbfFEfRExYeKG5y4y%2B8c4oanbH57E0qTcSFa46SnP0CeCmkNnMZ33CmO%2BjC9ybJZDktYPkHgAhT13CS9dx1kkVII0NE6kFLDC8iCsbLf%2BhlMmLQm8cH5s5oK4A077jx8T6IWz1qAJnFteL5K%2FsZCFlJv3FUtE8d%2FsX9aiH3TtcOwSuOqsJE77P1La6RSPS%2F5U1NmqsZ8Tvg7KLSHKGv%2FiracMEDmoWSgU%2B6z7SLQT7pCE%3D--uJiHpLajQNxxHZb3--WqMoRZqNrNo6qWsO92TJwg%3D%3D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://circuisdstverse.org/users/password/new
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Origin: https://circuitsdverse.org
Content-Length: 191
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Te: trailers

authenticity_token=ub6dEWChnpDPhJYu%2BbHrCyrqayIC%2FxqU1hM%2BPo6Dszj7vSxaAezQ%2Bo3IQgr5GEW7TTTFc4wohatL38uAm1epaQ%3D%3D&user%5Bemail%5D=catare3634%40kibwot.com&commit=Send+password+reset+link

Here in this request change email-id to any registered email id.
Now sent this request unlimited time and victim email address will received unlimited password-reset email .
Also attacker can make this as python code and send unlimited email.
You should set rate limit there to prevent this

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

We have contacted a member of the circuitverse team and are waiting to hear back a year ago
Aboobacker MK
a year ago

This a valid issue and same as you reported before, and we are working on implementing the rate limiter. But linked CVE is still misleading. I think https://cwe.mitre.org/data/definitions/640.html is more appropriate in this context

ranjit-git
a year ago

Researcher


Yes aggree .
Provided cve is inaccurate.
But plz ignore it. I will take care about it in my future report

Aboobacker MK validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aboobacker MK
a year ago

Fixed in https://github.com/CircuitVerse/CircuitVerse/commit/879d145976dbe5c23fd9c42e400020fdd1c361e6 by @gr455

Aboobacker MK confirmed that a fix has been merged on 879d14 a month ago
The fix bounty has been dropped
to join this conversation