Insufficient Granularity of Access Control in snipe/snipe-it

Valid

Reported on

Oct 7th 2021


Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/1.1

Host: demo.snipeitapp.com

Connection: close

Content-Length: 62

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://demo.snipeitapp.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://demo.snipeitapp.com/password/reset

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D

_token=qNXYj866UOlCog9UfSQl3U8NidUTWwBqKkzG8VoG&username=admin

Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

Solution:

'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
snipe
a year ago

Maintainer


While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.

takester
a year ago

Researcher


Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack.

https://hackerone.com/reports/145458 And please do refer this previously submitted report too https://huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/

takester
a year ago

Researcher


any update??

snipe
a year ago

Maintainer


If there was an update, I'd have said so. It's been one day.

snipe validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed with commit 702791 a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation