No password brute-force protection on login page in kareadita/kavita

Valid

Reported on

Aug 6th 2022


Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction.

Proof of Concept

  1. 1- Send a login request of the target user
POST http://localhost:5000/api/account/login HTTP/1.1
Host: localhost:5000
Proxy-Connection: keep-alive
Content-Length: 35
Content-Type: application/json

{"username":"user1","password":"100000"}
  1. 2 - Capture and replay the login request with a different password everytime.

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
Joseph Milazzo validated this vulnerability a month ago

Fixed locally

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joseph Milazzo confirmed that a fix has been merged on 9c31f7 a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation