Insufficient Granularity of Access Control in firefly-iii/firefly-iii

Valid

Reported on

Oct 3rd 2021


Description
There is no rate limit sent unlimited email victim or any email address

Proof of Concept
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/2
Host: demo.firefly-iii.org
Cookie: _pk_id.1.a460=715ef04152ed803e.1632942816.; google2fa_token=eyJpdiI6ImpuOTF1cTdPemN3alRzNnJWOTBsNkE9PSIsInZhbHVlIjoiQno0RDdmWkpIalVZUGFsRHc0NmZ1TWRKOGR1S2Jna2U1RllGNkM2blpnaXpTZkxMOU90Um0xRDNzZGg0WWp1NiIsIm1hYyI6ImEyZDNhMmMxZTAxNGE3OGYzODgxMWQwMGY3YmEwMzNhNjQxNDk5NjJkNmM5NTg5YmFmN2JhOTJjMDUwNjM1NDciLCJ0YWciOiIifQ%3D%3D; report-type=default; report-accounts=; report-categories=undefined; report-budgets=undefined; report-tags=undefined; report-double=undefined; report-start=20211001; report-end=20211031; XSRF-TOKEN=eyJpdiI6Ik4xWjhEVWgzVmZRbEhnS2w1ZjNZVmc9PSIsInZhbHVlIjoiUy9JS1hTSEhMTkozTkVyUkxrTTNOTVQ1dmF5TXhTdThlWGFPcEJoMjgwUUVZSnJkODN5Z0w5ZWxCZDhCclV1N2NveWVQMEtEMlhtMWxqU0lla3cwZStNa1Zsbm9ISFZxdDNPSUd6c1RXMzR3OU5pQng4a1lub05LL09uaXdyeE8iLCJtYWMiOiIwNWNkOGQxMTk0M2I2ZjgzNTMwY2MyNTY3M2M0M2Q0MzYzZjM3YzcxZjljZmE2ZDcxY2YxMjhjZTkxNjU1NGMyIiwidGFnIjoiIn0%3D; firefly_session=eyJpdiI6IkNSN0t6YTFCRkR5R2k2Rk41T1VGRmc9PSIsInZhbHVlIjoiM1Z1YmkvZnZHZEU1VVlwZEtCb1NSUU43SHF0dGs5OFBCd2gyRWpuc0RVYWsxYVBBaE5zWmFDOEpGdi9MWHVOWW9Wd1J6bzJrRE4wc2xLVkRhZDcxZFVBRGFjTlpLTFBDZE5NT1RpVHFRdTIzSUlXVzFHVWlxdURSZVVWRXo3MFciLCJtYWMiOiI1OTJlZGI4NjI2M2UyMjNjNjYxNmUyMTkzZDZjMjc2YTQ2MTBiZThjNDBkOTYwYzE4ZDg2NjFiZGI3ODlhNzA4IiwidGFnIjoiIn0%3D; _pk_ses.1.a460=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Origin: null
Content-Length: 70
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

_token=SjdJgFhxeldLUfUYneaR0Ts6alSOfINdCQ9HY1xw&email=test%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact
Attacker can sent unlimited email to any mail address .

Solution:
 'reset_password_tries_limit'=>5,
'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
We have contacted a member of the firefly-iii team and are waiting to hear back 2 months ago
James Cole
2 months ago

Maintainer


Weird, it is literally a feature of Laravel to prevent this.

James Cole validated this vulnerability 2 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 0af2fd 2 months ago
James Cole has been awarded the fix bounty
James Cole
2 months ago

Maintainer


lol default value is not to throttle smart move laravel

@0xAmal
2 months ago

Researcher


Thanks @James Cole

James Cole
2 months ago

Maintainer


FYI fix + report bounty was $0, its not like i dont want to have you paid :P

@0xAmal
2 months ago

Researcher


its okay james cole, huntr dev will pay, right now your bounty has finished I believe last of my report also not got bounty @admin please find a solution for this 2 issue i got 0 $ it okay fine

Jamie Slome
2 months ago

Admin


@both - seeing as the pot has been depleted, we cannot necessarily add more funds to the pot until it automatically refreshes, but will certainly ensure that your feedback is taken on.

James Cole
2 months ago

Maintainer


No worries, I suspected something like that. Would be nice to have infinite funds lol.

Jamie Slome
2 months ago

Admin


@jc5 - if you take a look at our landing page, you can see the prize pot offers that we are currently offering.