Insufficient Granularity of Access Control in firefly-iii/firefly-iii

Valid

Reported on

Oct 3rd 2021


Description
There is no rate limit sent unlimited email victim or any email address

Proof of Concept
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/2
Host: demo.firefly-iii.org
Cookie: _pk_id.1.a460=715ef04152ed803e.1632942816.; google2fa_token=eyJpdiI6ImpuOTF1cTdPemN3alRzNnJWOTBsNkE9PSIsInZhbHVlIjoiQno0RDdmWkpIalVZUGFsRHc0NmZ1TWRKOGR1S2Jna2U1RllGNkM2blpnaXpTZkxMOU90Um0xRDNzZGg0WWp1NiIsIm1hYyI6ImEyZDNhMmMxZTAxNGE3OGYzODgxMWQwMGY3YmEwMzNhNjQxNDk5NjJkNmM5NTg5YmFmN2JhOTJjMDUwNjM1NDciLCJ0YWciOiIifQ%3D%3D; report-type=default; report-accounts=; report-categories=undefined; report-budgets=undefined; report-tags=undefined; report-double=undefined; report-start=20211001; report-end=20211031; XSRF-TOKEN=eyJpdiI6Ik4xWjhEVWgzVmZRbEhnS2w1ZjNZVmc9PSIsInZhbHVlIjoiUy9JS1hTSEhMTkozTkVyUkxrTTNOTVQ1dmF5TXhTdThlWGFPcEJoMjgwUUVZSnJkODN5Z0w5ZWxCZDhCclV1N2NveWVQMEtEMlhtMWxqU0lla3cwZStNa1Zsbm9ISFZxdDNPSUd6c1RXMzR3OU5pQng4a1lub05LL09uaXdyeE8iLCJtYWMiOiIwNWNkOGQxMTk0M2I2ZjgzNTMwY2MyNTY3M2M0M2Q0MzYzZjM3YzcxZjljZmE2ZDcxY2YxMjhjZTkxNjU1NGMyIiwidGFnIjoiIn0%3D; firefly_session=eyJpdiI6IkNSN0t6YTFCRkR5R2k2Rk41T1VGRmc9PSIsInZhbHVlIjoiM1Z1YmkvZnZHZEU1VVlwZEtCb1NSUU43SHF0dGs5OFBCd2gyRWpuc0RVYWsxYVBBaE5zWmFDOEpGdi9MWHVOWW9Wd1J6bzJrRE4wc2xLVkRhZDcxZFVBRGFjTlpLTFBDZE5NT1RpVHFRdTIzSUlXVzFHVWlxdURSZVVWRXo3MFciLCJtYWMiOiI1OTJlZGI4NjI2M2UyMjNjNjYxNmUyMTkzZDZjMjc2YTQ2MTBiZThjNDBkOTYwYzE4ZDg2NjFiZGI3ODlhNzA4IiwidGFnIjoiIn0%3D; _pk_ses.1.a460=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Origin: null
Content-Length: 70
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

_token=SjdJgFhxeldLUfUYneaR0Ts6alSOfINdCQ9HY1xw&email=test%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact
Attacker can sent unlimited email to any mail address .

Solution:
 'reset_password_tries_limit'=>5,
'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
We have contacted a member of the firefly-iii team and are waiting to hear back a year ago
James Cole
a year ago

Maintainer


Weird, it is literally a feature of Laravel to prevent this.

James Cole validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 0af2fd a year ago
James Cole has been awarded the fix bounty
James Cole
a year ago

Maintainer


lol default value is not to throttle smart move laravel

@0xAmal
a year ago

Researcher


Thanks @James Cole

James Cole
a year ago

Maintainer


FYI fix + report bounty was $0, its not like i dont want to have you paid :P

@0xAmal
a year ago

Researcher


its okay james cole, huntr dev will pay, right now your bounty has finished I believe last of my report also not got bounty @admin please find a solution for this 2 issue i got 0 $ it okay fine

Jamie Slome
a year ago

Admin


@both - seeing as the pot has been depleted, we cannot necessarily add more funds to the pot until it automatically refreshes, but will certainly ensure that your feedback is taken on.

James Cole
a year ago

Maintainer


No worries, I suspected something like that. Would be nice to have infinite funds lol.

Jamie Slome
a year ago

Admin


@jc5 - if you take a look at our landing page, you can see the prize pot offers that we are currently offering.

to join this conversation