No password brute-force protection on login page in kareadita/kavita

Valid

Reported on

Aug 6th 2022

Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction.

Proof of Concept

1- Send a login request of the target user

POST http://localhost:5000/api/account/login HTTP/1.1
Host: localhost:5000
Proxy-Connection: keep-alive
Content-Length: 35
Content-Type: application/json

{"username":"user1","password":"100000"}

2 - Capture and replay the login request with a different password everytime.

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

Occurrences

AccountController.cs L162-L211

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago

Joe Milazzo validated this vulnerability a year ago

Fixed locally

vultza has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Milazzo marked this as fixed in 0.5.4.1 with commit 9c31f7 a year ago

Joe Milazzo has been awarded the fix bounty

This vulnerability will not receive a CVE

AccountController.cs#L162-L211 has been validated

to join this conversation