Insufficient Granularity of Access Control in snipe/snipe-it

Valid

Reported on

Oct 7th 2021


Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/1.1

Host: demo.snipeitapp.com

Connection: close

Content-Length: 62

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://demo.snipeitapp.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://demo.snipeitapp.com/password/reset

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D

_token=qNXYj866UOlCog9UfSQl3U8NidUTWwBqKkzG8VoG&username=admin

Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

Solution:

'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 19 days ago
snipe
19 days ago

Maintainer


While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.

takester
19 days ago

Researcher


Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack.

https://hackerone.com/reports/145458 And please do refer this previously submitted report too https://huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/

takester
18 days ago

Researcher


any update??

snipe
18 days ago

Maintainer


If there was an update, I'd have said so. It's been one day.

snipe validated this vulnerability 18 days ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 702791 18 days ago
snipe has been awarded the fix bounty