Insufficient Granularity of Access Control in microweber/microweber

Valid

Reported on

Mar 6th 2022


Description

There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator

Proof of Concept

Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured. Then use this in burp intruder to issue as many notifications with replay of same captcha.

Sample Request

POST /demo/api/post_form HTTP/1.1 Host: demo.microweber.org Cookie: laravel_session=kcTjGuBIPY5gQLMzQ7KLvp0cv0EQQz2nfJEcPKAE; csrf-token-data=%7B%22value%22%3A%22SCWkLefQrigbTe92em37PL4qEBKnLg7ZvVewn60f%22%2C%22expiry%22%3A1646569870269%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demo.microweber.org/demo/forgot_password Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 137 Origin: https://demo.microweber.org Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

_token=SCWkLefQrigbTe92em37PL4qEBKnLg7ZvVewn60f&for_id=footer_newsletter&for=module&email=b%40a.com&module_name=contact_form&captcha=4405

Impact

This vulnerability is capable of issuing many notifications to administrator

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
rajeshpatil013 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on 201290 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
CaptchaValidator.php#L8 has been validated
to join this conversation