Insufficient Granularity of Access Control in publify/publify

Valid

Reported on

Oct 12th 2021


Description

There is not Rate limit protection bypass sent unlimited email victim who have account email address.

Proof of Concept

There is no rate limit users/password, attacker to send unlimited email who have account victim email address.

POST /users/password HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=bcc4763a5e705ab2f900361126dc1a92
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo-publify.herokuapp.com/users/password/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Origin: https://demo-publify.herokuapp.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

utf8=%E2%9C%93&authenticity_token=aMSmWPPXrTwPfgTcEeKEqEKfpcHJiggrpOvwt5b9MyFHfGws3tJQDfbCb9u4nQY98rXHzFnUGwUSVtbxVfLD3A%3D%3D&user%5Bemail%5D=admin%40gmail.com&commit=Send+me+reset+password+instructions

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to (who have account) any victim mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.

We have contacted a member of the publify team and are waiting to hear back 2 months ago
Matijs
2 months ago

AFAIK , the attacker can only send unlimited email to people who actually have an account.

Matijs
2 months ago

I have confirmed that a mail is not sent if the email address does not correspond to an existing account.

In any case, I think this is something that would have to be changed in Devise (https://github.com/heartcombo/devise).

Raptor
2 months ago

Researcher


reference report https://www.huntr.dev/bounties/2d3b85ec-1ff9-4226-859a-776de238b246/

Raptor
2 months ago

Researcher


https://github.com/BookStackApp/BookStack/commit/ca764caf2d55a5c9bac61718d656423b0c3a060b

Matijs
2 months ago

How is this relevant? I cannot read that report and Publify is not written in PHP.

Raptor
2 months ago

Researcher


https://www.huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/

Raptor
2 months ago

Researcher


please refer this above reports.

Raptor modified their report
2 months ago
Matijs
2 months ago

Again, Publify does not use Laraval. If you don't engage with what I'm commenting here I'm going to close this as invalid.

Matijs
2 months ago

Attacker can sent unlimited email to any victim mail address .

This is incorrect. Please adjust the report to reflect the actual situation.

Raptor modified their report
2 months ago
Raptor modified their report
2 months ago
Raptor
2 months ago

Researcher


(Attacker can send unlimited email to people who actually have an account). The attacker abuse the functionality forget password, if the attacker get victim mail id the request unlimited forget password request who have account victim mail id , that can be leads to send unlimited forget password mail there is not rate limit send forget password page. I am not saying Laraval, that is same report for reference, No rate limit is everywhere, so please set throttle to send forget password.

Matijs
2 months ago

@raptor thank you for adjusting the report.

Yes, it was already clear to me that there are similar reports.

Raptor
2 months ago

Researcher


Thanks for understanding 😊

Raptor
a month ago

Researcher


Hi Sir, any updates.

Raptor
a month ago

Researcher


any updates sir.

We have sent a second follow up to the publify team. We will try again in 10 days. a month ago
Matijs van Zuijlen validated this vulnerability a month ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matijs van Zuijlen confirmed that a fix has been merged on 503a85 a month ago
Matijs van Zuijlen has been awarded the fix bounty
new.html.erb#L1-L20 has been validated
new.html.erb#L1-L20 has been validated