Insufficient Granularity of Access Control in snipe/snipe-it

Valid

Reported on

Oct 7th 2021

Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/1.1

Host: demo.snipeitapp.com

Connection: close

Content-Length: 62

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://demo.snipeitapp.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://demo.snipeitapp.com/password/reset

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D

_token=qNXYj866UOlCog9UfSQl3U8NidUTWwBqKkzG8VoG&username=admin

Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

Solution:

'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",

References

https://apisecurity.io/encyclopedia/content/owasp/api4-lack-of-resources-and-rate-limiting.htm

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 19 days ago

snipe

commented 19 days ago

Maintainer

While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.

takester

commented 19 days ago

Researcher

Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack.

https://hackerone.com/reports/145458 And please do refer this previously submitted report too https://huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/

takester

commented 18 days ago

Researcher

any update??

snipe

commented 18 days ago

Maintainer

If there was an update, I'd have said so. It's been one day.

snipe validated this vulnerability 18 days ago

takester has been awarded the disclosure bounty

The fix bounty is now up for grabs

snipe confirmed that a fix has been merged on 702791 18 days ago

snipe has been awarded the fix bounty

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 19 days ago

snipe

commented 19 days ago

Maintainer

While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.

takester

commented 19 days ago

Researcher

Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack.

https://hackerone.com/reports/145458 And please do refer this previously submitted report too https://huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/

takester

commented 18 days ago

Researcher

any update??

snipe

commented 18 days ago

Maintainer

If there was an update, I'd have said so. It's been one day.

snipe validated this vulnerability 18 days ago

takester has been awarded the disclosure bounty

The fix bounty is now up for grabs

snipe confirmed that a fix has been merged on 702791 18 days ago

snipe has been awarded the fix bounty