Insufficient Granularity of Access Control in zikula/core

Valid

Reported on

Sep 18th 2021


Description

Rate limit bypass sent unlimited email victim or any email address

Proof of Concept

There is no rate limit lost-user-name, attacker to send unlimited email to victim or any email address.

POST /zauth/account/lost-user-name HTTP/1.1
Host: demo.ziku.la
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Origin: https://demo.ziku.la
Connection: close
Referer: https://demo.ziku.la/zauth/account/lost-user-name
Cookie: _zsid=1kkpnmtra80thcmftq7i4ots3d
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

zikulazauthmodule_account_lostusername%5Bemail%5D=aravindtestx%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.

We have contacted a member of the zikula/core team and are waiting to hear back a year ago
Raptor modified the report
a year ago
Axel Guckelsberger validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on a122e7 a year ago
Axel Guckelsberger has been awarded the fix bounty
Axel
a year ago

Maintainer


Thank you for the report. The issue is fixed by utilising a rate limiter component from Symfony. After x attempts a TooManyRequestsHttpException occurs.

ranjit-git
a year ago

great to see someone just copy-paste my template for this kind bug

Axel
a year ago

Maintainer


@ranjit-git: did I do something wrong? We discussed possible patches in our team and I think the rate limiter is a good approach for this issue. I guess you refer to the report, not to the patch, don't you?

ranjit-git
a year ago

@maintainer . Sorry its not you .
Bug reporter who completely copy-paste my bug template for this kind rate-limit bug .
I dont mind here . Its called education . people can learn from others .
Researcher are free to do so and i have no problem with it .
But atleast researcher should modify some string or make their own .

Raptor
a year ago

Researcher


@ranjit-git

Raptor
a year ago

Researcher


@ranjit-git

I already know about ,these types of bug work with H1 , just for reference in impact of the bug, I know the impact of the bug.

0x9x
a year ago

Oh! at least he learned something new ! rate limit bugs are everywhere .

to join this conversation