Insufficient Granularity of Access Control in cortezaproject/corteza-server
Reported on
Oct 6th 2021
Description
There is no rate limit sent unlimited email victim or any email address
Proof of Concept
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.
POST /auth/request-password-reset HTTP/1.1
Host: latest.cortezaproject.org
Connection: close
Content-Length: 156
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://latest.cortezaproject.org
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://latest.cortezaproject.org/auth/request-password-reset
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: same-site-authenticity- token=MTYzMzUzNDA3NnxJa3hLU1dWWWNqaFhPVVZoY1RaeGNHTTNkVTFNYkhWWWQzbFZSRVppV1VwSmVuRlRaMFJOY1dWYVVtczlJZ289fLMA80ud63qERQFnDCDmqXxDf8gaudqUxtr2Wa8uKQAa; _ga=GA1.2.279615868.1633534303; _gid=GA1.2.22624203.1633534303
same-site-authenticity-token=kMntI4RoFkKqkARqgW%2FEjNIlOHA0zPiWqLIGsOHKf6u8W%2FN9O37iBAB6rjZvjM8aN9XxMPGhet5mFqa8K1Qasg%3D%3D&email=test@test.com
Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .
Impact
Attacker can sent unlimited email to any mail address .
Solution:
'reset_password_tries_limit'=>5,
'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
Thanks for the report; I'll get one of our guys to validate this and propose a fix.
@admin the linked CWE does not seem appropriate as this is a rate-limiting issue and not access control. I might be misunderstanding the description; please advise
@tjerman - it does seem as though the report alludes to rate limiting.
Feel free to request that the researcher changes the CWE/vulnerability type, before validating the report.
https://www.huntr.dev/bounties/59bedd63-2e4d-44e3-b831-abb7085e282d/ Please refer the above report which I have submitted before
@takester the report is valid but the related CWE does not seem appropriate. Doing a quick search, this one seems more appropriate to me https://cwe.mitre.org/data/definitions/770.html (Allocation of Resources Without Limits or Throttling) Anyway, if you do not agree with me, let me know and I will confirm it as is.
Yes it seems valid, but in hactivity section many researchers are reporting same issue in this category only.
@takester - it certainly seems like this report is not Insufficient Granularity Control, but specifically a rate-limiting issue. CWE-770 seems fitting as Tomaz recommended.