No rate limit on old password parameter allows attacker to bruteforce the existing password and set a new password in ikus060/rdiffweb

Valid

Reported on

Sep 22nd 2022


Description

There is no rate limit on the password change feature on https://rdiffweb-demo.ikus-soft.com/prefs/general# which allows an attacker to bruteforce the old password and set a new password for the account

Proof of Concept

  1. Go to https://rdiffweb-demo.ikus-soft.com/prefs/general#
  2. Here you will see a password change feature
  3. In the "old password" field enter any random string and in the "new password" and "confirm new password" field set the new password for the victim account
  4. Capture the request using burpsuite and perform a bruteforce attack on the old password field
  5. Due to the absence of rate limit on this endpoint an attacker can easily change the password of victim account

Attack Scenario: Let us consider a situation in which a victim is using a public device , in a library or cafe and forgets to log out of his account and an attacker gets access to this device .

Impact

Attacker can perform a bruteforce attack to change the password of the account hence resulting in a full account takeover issue

References

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
Patrik Dufresne assigned a CVE to this report 2 months ago
Patrik Dufresne validated this vulnerability 2 months ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the ikus060/rdiffweb team. We will try again in 10 days. 2 months ago
Patrik Dufresne marked this as fixed in 2.5.0a4 with commit b5e3bb 2 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation