No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kareadita/kavita

Valid

Reported on

Oct 27th 2022

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

CWE-307: Improper Restriction of Excessive Authentication Attempts

POC

1. Send this request to Burpsuite Intruder

POST /api/account/migrate-email HTTP/1.1
Host: 192.168.189.132:5000
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://192.168.189.132:5000/admin/dashboard
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 67

{"Email":"xxx@local.com",
"Username":"admin",
"Password":"xxx"
}

2. Mark on the Password value

3. Bruteforce attack with 1000 password list and get valid admin password

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

References

Brute Force Attack

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago

A kareadita/kavita maintainer has acknowledged this report a year ago

Joe Milazzo

commented a year ago

Maintainer

This is valid and I will fix it. Nice catch

Joe Milazzo validated this vulnerability a year ago

zetc0de has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Milazzo marked this as fixed in 0.6.0.3 with commit f8db37 a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

zetc0de

commented a year ago

Researcher

@admin can disclose this report? Also can to assign cve for this vulnerability?

Joe Milazzo

commented a year ago

Maintainer

This is not ready for disclosure. Hence why it's not disclosed. When it is in our stable release, I will disclose this (and all orhers raised by you).

Joe Milazzo published this vulnerability a year ago

to join this conversation

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago

A kareadita/kavita maintainer has acknowledged this report a year ago

Joe Milazzo

commented a year ago

Maintainer

This is valid and I will fix it. Nice catch

Joe Milazzo validated this vulnerability a year ago

zetc0de has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Milazzo marked this as fixed in 0.6.0.3 with commit f8db37 a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

zetc0de

commented a year ago

Researcher

@admin can disclose this report? Also can to assign cve for this vulnerability?

Joe Milazzo

commented a year ago

Maintainer

This is not ready for disclosure. Hence why it's not disclosed. When it is in our stable release, I will disclose this (and all orhers raised by you).

Joe Milazzo published this vulnerability a year ago

to join this conversation