Account Takeover in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022

Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field

Steps to reproduce:

go to https://book.dansmonorage.blue/login
Enter username and any password
Capture the request with burpsuite and start bruteforcing with our wordlist

POC Screenshot:

Patch recommendation:

Add ratelimit protecion on POST login endpoints/parameters

Impact

Account takeover

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 10 months ago

We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 10 months ago

We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 10 months ago

Akshay Ravi

commented 10 months ago

Researcher

Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 10 months ago

Mouse Reeve validated this vulnerability 10 months ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve marked this as fixed in 0.4.5 with commit 7bbe42 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Akshay Ravi

commented 10 months ago

Researcher

@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi

commented 10 months ago

Researcher

@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi

commented 10 months ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 10 months ago

Admin

We will wait for the maintainer to approve a CVE for this report and then proceed with one 👍

Mouse Reeve

commented 10 months ago

Sorry for the delay, I didn't get a notification about these comments. I've created a CVE for this and added Akshay as a collaborator.

Jamie Slome

commented 10 months ago

Admin

Great 👍

Akshay Ravi

commented 10 months ago

Researcher

@admin CVE-2022-35925 has assigned for this issue, can you please add this CVE on this report(CVE ID)

https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

Jamie Slome

commented 10 months ago

Admin

CVE is attached to the report 👍

Jamie Slome

commented 10 months ago

Admin

@mouse - would you like me to assign a CVE to the other report or are you happy to do this via GitHub?

Mouse Reeve

commented 10 months ago

@jamieslome I'd be happy for you to do that. If it's preferable for me to do it in GitHub I can do that instead, just let me know, but otherwise I'll assume it's handled.

Jamie Slome

commented 10 months ago

Admin

@mouse-reeve - CVE is all sorted on the other report 👍 It should be published shortly - nothing to do on your end :)

to join this conversation

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 10 months ago

We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 10 months ago

We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 10 months ago

Akshay Ravi

commented 10 months ago

Researcher

Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 10 months ago

Mouse Reeve validated this vulnerability 10 months ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve marked this as fixed in 0.4.5 with commit 7bbe42 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Akshay Ravi

commented 10 months ago

Researcher

@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi

commented 10 months ago

Researcher

@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi

commented 10 months ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 10 months ago

Admin

We will wait for the maintainer to approve a CVE for this report and then proceed with one 👍

Mouse Reeve

commented 10 months ago

Sorry for the delay, I didn't get a notification about these comments. I've created a CVE for this and added Akshay as a collaborator.

Jamie Slome

commented 10 months ago

Admin

Great 👍

Akshay Ravi

commented 10 months ago

Researcher

@admin CVE-2022-35925 has assigned for this issue, can you please add this CVE on this report(CVE ID)

https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

Jamie Slome

commented 10 months ago

Admin

CVE is attached to the report 👍

Jamie Slome

commented 10 months ago

Admin

@mouse - would you like me to assign a CVE to the other report or are you happy to do this via GitHub?

Mouse Reeve

commented 10 months ago

@jamieslome I'd be happy for you to do that. If it's preferable for me to do it in GitHub I can do that instead, just let me know, but otherwise I'll assume it's handled.

Jamie Slome

commented 10 months ago

Admin

@mouse-reeve - CVE is all sorted on the other report 👍 It should be published shortly - nothing to do on your end :)

to join this conversation