Account Takeover in bookwyrm-social/bookwyrm
Valid
Reported on
Jul 12th 2022
- Hello team, while i was testing on
https://book.dansmonorage.blue/logini noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field
Steps to reproduce:
- go to
https://book.dansmonorage.blue/login - Enter username and any password
- Capture the request with burpsuite and start bruteforcing with our wordlist
POC Screenshot:
Patch recommendation:
- Add ratelimit protecion on POST login endpoints/parameters
Impact
- Account takeover
We are processing your report and will contact the
bookwyrm-social/bookwyrm
team within 24 hours.
22 days ago
We have contacted a member of the
bookwyrm-social/bookwyrm
team and are waiting to hear back
21 days ago
We have sent a
follow up to the
bookwyrm-social/bookwyrm
team.
We will try again in 7 days.
18 days ago
We have sent a
second
follow up to the
bookwyrm-social/bookwyrm
team.
We will try again in 10 days.
11 days ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
@maintainer are you happy to assign a CVE? please confirm, then only admin can move further
@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇
We will wait for the maintainer to approve a CVE for this report and then proceed with one 👍
Sorry for the delay, I didn't get a notification about these comments. I've created a CVE for this and added Akshay as a collaborator.
@admin CVE-2022-35925 has assigned for this issue, can you please add this CVE on this report(CVE ID)
https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw
@mouse - would you like me to assign a CVE to the other report or are you happy to do this via GitHub?
to join this conversation