No password brute-force protection on login page in plankanban/planka

Valid

Reported on

Aug 2nd 2022


Description

The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction.

Proof of Concept

  1. 1 - Send a login request of the target user
POST http://localhost:3000/api/access-tokens HTTP/1.1
Host: localhost:3000
Content-Type: application/json

{"emailOrUsername": "user1@localhost.com", "password": "10000"}
  1. 2 - Capture and replay the login request with a different password everytime bruteforce

Impact

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the plankanban/planka team within 24 hours. 2 months ago
We have contacted a member of the plankanban/planka team and are waiting to hear back 2 months ago
Maksim Eltyshev validated this vulnerability 2 months ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. a month ago
Maksim Eltyshev confirmed that a fix has been merged on 6429e2 a month ago
The fix bounty has been dropped
create.js#L40-L54 has been validated
to join this conversation