No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kareadita/kavita

Valid

Reported on

Oct 27th 2022


The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

CWE-307: Improper Restriction of Excessive Authentication Attempts

POC

1. Send this request to Burpsuite Intruder

POST /api/account/migrate-email HTTP/1.1
Host: 192.168.189.132:5000
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://192.168.189.132:5000/admin/dashboard
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 67

{"Email":"xxx@local.com",
"Username":"admin",
"Password":"xxx"
}

2. Mark on the Password value

3. Bruteforce attack with 1000 password list and get valid admin password

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a month ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
kareadita/kavita maintainer has acknowledged this report a month ago
Joe Milazzo
a month ago

Maintainer


This is valid and I will fix it. Nice catch

Joe Milazzo validated this vulnerability a month ago
zetc0de has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Milazzo marked this as fixed in 0.6.0.3 with commit f8db37 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
zetc0de
a month ago

Researcher


@admin can disclose this report? Also can to assign cve for this vulnerability?

Joe Milazzo
a month ago

Maintainer


This is not ready for disclosure. Hence why it's not disclosed. When it is in our stable release, I will disclose this (and all orhers raised by you).

Joe Milazzo published this vulnerability 19 days ago
to join this conversation