Account Takeover in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022


  1. Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field

Steps to reproduce:

  1. go to https://book.dansmonorage.blue/login
  2. Enter username and any password
  3. Capture the request with burpsuite and start bruteforcing with our wordlist

POC Screenshot:

Patch recommendation:

  1. Add ratelimit protecion on POST login endpoints/parameters

Impact

  1. Account takeover
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 10 months ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 10 months ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 10 months ago
Akshay Ravi
10 months ago

Researcher


Hello @maintainer any update on this?

We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. 10 months ago
Mouse Reeve validated this vulnerability 10 months ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.5 with commit 7bbe42 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Akshay Ravi
10 months ago

Researcher


@maintainer are you happy to assign a CVE? please confirm, then only admin can move further

Akshay Ravi
10 months ago

Researcher


@Mouse Revee @maintainer please confirm are you happy to assign a CVE?😇

Akshay Ravi
10 months ago

Researcher


@admin can you pls assign a CVE for this?

Jamie Slome
10 months ago

Admin


We will wait for the maintainer to approve a CVE for this report and then proceed with one 👍

Mouse Reeve
10 months ago

Sorry for the delay, I didn't get a notification about these comments. I've created a CVE for this and added Akshay as a collaborator.

Jamie Slome
10 months ago

Admin


Great 👍

Akshay Ravi
10 months ago

Researcher


@admin CVE-2022-35925 has assigned for this issue, can you please add this CVE on this report(CVE ID)

https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

Jamie Slome
10 months ago

Admin


CVE is attached to the report 👍

Jamie Slome
10 months ago

Admin


@mouse - would you like me to assign a CVE to the other report or are you happy to do this via GitHub?

Mouse Reeve
10 months ago

@jamieslome I'd be happy for you to do that. If it's preferable for me to do it in GitHub I can do that instead, just let me know, but otherwise I'll assume it's handled.

Jamie Slome
10 months ago

Admin


@mouse-reeve - CVE is all sorted on the other report 👍 It should be published shortly - nothing to do on your end :)

to join this conversation