Insufficient Granularity of Access Control in firefly-iii/firefly-iii

Valid

Reported on

Oct 3rd 2021


Description
There is no rate limit sent unlimited email victim or any email address

Proof of Concept
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/2
Host: demo.firefly-iii.org
Cookie: _pk_id.1.a460=715ef04152ed803e.1632942816.; google2fa_token=eyJpdiI6ImpuOTF1cTdPemN3alRzNnJWOTBsNkE9PSIsInZhbHVlIjoiQno0RDdmWkpIalVZUGFsRHc0NmZ1TWRKOGR1S2Jna2U1RllGNkM2blpnaXpTZkxMOU90Um0xRDNzZGg0WWp1NiIsIm1hYyI6ImEyZDNhMmMxZTAxNGE3OGYzODgxMWQwMGY3YmEwMzNhNjQxNDk5NjJkNmM5NTg5YmFmN2JhOTJjMDUwNjM1NDciLCJ0YWciOiIifQ%3D%3D; report-type=default; report-accounts=; report-categories=undefined; report-budgets=undefined; report-tags=undefined; report-double=undefined; report-start=20211001; report-end=20211031; XSRF-TOKEN=eyJpdiI6Ik4xWjhEVWgzVmZRbEhnS2w1ZjNZVmc9PSIsInZhbHVlIjoiUy9JS1hTSEhMTkozTkVyUkxrTTNOTVQ1dmF5TXhTdThlWGFPcEJoMjgwUUVZSnJkODN5Z0w5ZWxCZDhCclV1N2NveWVQMEtEMlhtMWxqU0lla3cwZStNa1Zsbm9ISFZxdDNPSUd6c1RXMzR3OU5pQng4a1lub05LL09uaXdyeE8iLCJtYWMiOiIwNWNkOGQxMTk0M2I2ZjgzNTMwY2MyNTY3M2M0M2Q0MzYzZjM3YzcxZjljZmE2ZDcxY2YxMjhjZTkxNjU1NGMyIiwidGFnIjoiIn0%3D; firefly_session=eyJpdiI6IkNSN0t6YTFCRkR5R2k2Rk41T1VGRmc9PSIsInZhbHVlIjoiM1Z1YmkvZnZHZEU1VVlwZEtCb1NSUU43SHF0dGs5OFBCd2gyRWpuc0RVYWsxYVBBaE5zWmFDOEpGdi9MWHVOWW9Wd1J6bzJrRE4wc2xLVkRhZDcxZFVBRGFjTlpLTFBDZE5NT1RpVHFRdTIzSUlXVzFHVWlxdURSZVVWRXo3MFciLCJtYWMiOiI1OTJlZGI4NjI2M2UyMjNjNjYxNmUyMTkzZDZjMjc2YTQ2MTBiZThjNDBkOTYwYzE4ZDg2NjFiZGI3ODlhNzA4IiwidGFnIjoiIn0%3D; _pk_ses.1.a460=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Origin: null
Content-Length: 70
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

_token=SjdJgFhxeldLUfUYneaR0Ts6alSOfINdCQ9HY1xw&email=test%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact
Attacker can sent unlimited email to any mail address .

Solution:
 'reset_password_tries_limit'=>5,
'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
We have contacted a member of the firefly-iii team and are waiting to hear back 2 years ago
James Cole
2 years ago

Maintainer


Weird, it is literally a feature of Laravel to prevent this.

James Cole validated this vulnerability 2 years ago
0xamal has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole marked this as fixed with commit 0af2fd 2 years ago
James Cole has been awarded the fix bounty
James Cole
2 years ago

Maintainer


lol default value is not to throttle smart move laravel

@0xAmal
2 years ago

Researcher


Thanks @James Cole

James Cole
2 years ago

Maintainer


FYI fix + report bounty was $0, its not like i dont want to have you paid :P

@0xAmal
2 years ago

Researcher


its okay james cole, huntr dev will pay, right now your bounty has finished I believe last of my report also not got bounty @admin please find a solution for this 2 issue i got 0 $ it okay fine

Jamie Slome
2 years ago

@both - seeing as the pot has been depleted, we cannot necessarily add more funds to the pot until it automatically refreshes, but will certainly ensure that your feedback is taken on.

James Cole
2 years ago

Maintainer


No worries, I suspected something like that. Would be nice to have infinite funds lol.

Jamie Slome
2 years ago

@jc5 - if you take a look at our landing page, you can see the prize pot offers that we are currently offering.

to join this conversation