Insufficient Granularity of Access Control in cortezaproject/corteza-server

Valid

Reported on

Oct 6th 2021


Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /auth/request-password-reset HTTP/1.1

Host: latest.cortezaproject.org

Connection: close

Content-Length: 156

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://latest.cortezaproject.org

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://latest.cortezaproject.org/auth/request-password-reset

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: same-site-authenticity- token=MTYzMzUzNDA3NnxJa3hLU1dWWWNqaFhPVVZoY1RaeGNHTTNkVTFNYkhWWWQzbFZSRVppV1VwSmVuRlRaMFJOY1dWYVVtczlJZ289fLMA80ud63qERQFnDCDmqXxDf8gaudqUxtr2Wa8uKQAa; _ga=GA1.2.279615868.1633534303; _gid=GA1.2.22624203.1633534303

same-site-authenticity-token=kMntI4RoFkKqkARqgW%2FEjNIlOHA0zPiWqLIGsOHKf6u8W%2FN9O37iBAB6rjZvjM8aN9XxMPGhet5mFqa8K1Qasg%3D%3D&email=test@test.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

Solution:

'reset_password_tries_limit'=>5,

'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 8 months ago
takester
8 months ago

Researcher


any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 7 months ago
Tomaž Jerman
7 months ago

Maintainer


Thanks for the report; I'll get one of our guys to validate this and propose a fix.

@admin the linked CWE does not seem appropriate as this is a rate-limiting issue and not access control. I might be misunderstanding the description; please advise

Jamie Slome
7 months ago

Admin


@tjerman - it does seem as though the report alludes to rate limiting.

Feel free to request that the researcher changes the CWE/vulnerability type, before validating the report.

takester modified the report
7 months ago
takester
7 months ago

Researcher


https://www.huntr.dev/bounties/59bedd63-2e4d-44e3-b831-abb7085e282d/ Please refer the above report which I have submitted before

Tomaž Jerman
7 months ago

Maintainer


@takester the report is valid but the related CWE does not seem appropriate. Doing a quick search, this one seems more appropriate to me https://cwe.mitre.org/data/definitions/770.html (Allocation of Resources Without Limits or Throttling) Anyway, if you do not agree with me, let me know and I will confirm it as is.

takester
7 months ago

Researcher


Yes it seems valid, but in hactivity section many researchers are reporting same issue in this category only.

Jamie Slome
7 months ago

Admin


@takester - it certainly seems like this report is not Insufficient Granularity Control, but specifically a rate-limiting issue. CWE-770 seems fitting as Tomaz recommended.

takester
7 months ago

Researcher


Sure, no problem from my side

Tomaž Jerman validated this vulnerability 4 months ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 3 months ago
Denis Arh
3 months ago

Maintainer


Fixed and waiting for internal review & qc.

We have sent a third and final fix follow up to the cortezaproject/corteza-server team. This report is now considered stale. 3 months ago
Denis Arh confirmed that a fix has been merged on d2d024 3 months ago
The fix bounty has been dropped
to join this conversation