Least Privilege Violation in kestasjk/webdiplomacy

Valid

Reported on

Jul 23rd 2021


✍️ Description

Bypass rate limit and sent unlimited email to any email address.

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

🕵️‍♂️ Proof of Concept

During password-reset link sending there is no rate-limit which allow to send unlimited email to any email address. bellow request is vulnerable tot this attack

POST /logon.php?forgotPassword=2 HTTP/1.1
Host: webdiplomacy.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: https://webdiplosdfdmacy.net
DNT: 1
Connection: close
Referer: https://webdipdddlomacy.net/logon.php?forgotPassword=1
Upgrade-Insecure-Requests: 1

forgotUsername=bbounty

Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email

You should set rate limit there to prevent this

We have contacted a member of the kestasjk/webdiplomacy team and are waiting to hear back 2 months ago
Kestas "Chris" Kuliukas validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kestas "Chris" Kuliukas confirmed that a fix has been merged on e1b873 2 months ago
Kestas "Chris" Kuliukas has been awarded the fix bounty