Improper Restriction of Excessive Authentication Attempts in login feature in janeczku/calibre-web

Valid

Reported on

Jun 1st 2022

Description

No rate limiting in login form leads to bruteforce attack

Steps to reproduce

1.Go to http://localhost:<port>/login

2.Login with wrong credentials

3.Capture POST request with Burp Suite and Send to Intruder

4.Create 100 null payloads and start attack

5.Noticed that all request return 200 status code

Impact

Account takeover

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago

We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago

We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago

A janeczku/calibre-web maintainer has acknowledged this report a year ago

Domiee13

commented 10 months ago

Researcher

@maintainer @admin any update ... ?

Jamie Slome

commented 10 months ago

Admin

No update from our side. I expect we will hear from the maintainer shortly, as they are likely working on a fix and are typically very active on the platform.

If you have any ideas about how we can improve your experience on the platform, please feel free to create a feature request.

Domiee13

commented 10 months ago

Researcher

Hope so. I have seen that maintainer has acknowledged this report since a month ago, but doesn't have any update ...

janeczku validated this vulnerability 10 months ago

Domiee13 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. 10 months ago

We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. 10 months ago

We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. 9 months ago

janeczku

commented 8 months ago

Maintainer

I'm having a fix in the developer branch, but I need some more time for testing before releasing it

janeczku marked this as fixed in 0.6.20 with commit 49e4f5 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 27th 2023

janeczku published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago

We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago

We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago

A janeczku/calibre-web maintainer has acknowledged this report a year ago

Domiee13

commented 10 months ago

Researcher

@maintainer @admin any update ... ?

Jamie Slome

commented 10 months ago

Admin

No update from our side. I expect we will hear from the maintainer shortly, as they are likely working on a fix and are typically very active on the platform.

If you have any ideas about how we can improve your experience on the platform, please feel free to create a feature request.

Domiee13

commented 10 months ago

Researcher

Hope so. I have seen that maintainer has acknowledged this report since a month ago, but doesn't have any update ...

janeczku validated this vulnerability 10 months ago

Domiee13 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. 10 months ago

We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. 10 months ago

We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. 9 months ago

janeczku

commented 8 months ago

Maintainer

I'm having a fix in the developer branch, but I need some more time for testing before releasing it

janeczku marked this as fixed in 0.6.20 with commit 49e4f5 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 27th 2023

janeczku published this vulnerability a month ago

to join this conversation