No Protection against Bruteforce attacks on Login page in wger-project/wger

Valid

Reported on

Jul 23rd 2022


Description

Wger Workout Manager does not limit unsuccessful login attempts allowing Brute Forcing.

Proof of Concept

Steps to Reproduce:

  1. Register a new user

  2. Logout

  3. Send a login request with an incorrect password

  4. Capture the login request

  5. Replay the login request with a different password value utilizing a password list payload

  6. Should the password exist in the password list, a FOUND "Reason" with a Code of "300" will be issued

  7. ZAP will continue attempting all passwords in the password list until complete


OWASP ZAP (Zed Attack Proxy) captured request below


POST http://localhost:8002/en/user/login HTTP/1.1
Host: localhost:8002
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: https://localhost:8002
Connection: keep-alive
Referer: https://localhost:8002/en/user/login
Cookie: csrftoken=dmYHzhEL7jtry2rAuRuXFvfRNfr1ZhKELoaBcBHiD21rMHik5aAno2aJ44SloIAq; sessionid=ezv3ryk6pdpjsruystkuy9igz6nvjcwg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
csrfmiddlewaretoken=6XFt2tC2nJ1s57MtQOmsiBqDnWHylBfBEZRnFNFzTszsjMDdr7sS18lvEL8SK25n&username=username1&password=password&submit=Login

Impact

The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this software be hosted on a website, it may also lead to Denial of Service.

We are processing your report and will contact the wger-project/wger team within 24 hours. 4 months ago
We have contacted a member of the wger-project/wger team and are waiting to hear back 4 months ago
Roland Geider
4 months ago

Maintainer


Hi! Thanks for reporting this. You are right, at the moment there is no protection against brute force attacks, I'll open an issue on my side

hackinkraken
4 months ago

Researcher


Thank you, Roland. Please keep us updated, I appreciate it.

We have sent a follow up to the wger-project/wger team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the wger-project/wger team. We will try again in 10 days. 4 months ago
Roland Geider validated this vulnerability 4 months ago
hackinkraken has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
hackinkraken
4 months ago

Researcher


@admin May we please consider assigning a CVE? Thank you admin and thank you Roland Geider.

Jamie Slome
4 months ago

Admin


Happy to assign and publish a CVE if Roland gives us permission 👍

@Roland - happy for me to proceed with a CVE?

Roland Geider
4 months ago

Maintainer


Sure, go ahead

hackinkraken
4 months ago

Researcher


@admin - Thank you for reaching out to Roland. @Roland, thank you very much for approving the CVE go-ahead!

Jamie Slome
4 months ago

Admin


CVE-2022-2650 assigned 🎉

Once the report has been confirmed as fixed by @Roland, the CVE will be published :)

We have sent a fix follow up to the wger-project/wger team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the wger-project/wger team. We will try again in 10 days. 4 months ago
We have sent a third and final fix follow up to the wger-project/wger team. This report is now considered stale. 3 months ago
hackinkraken
3 months ago

Researcher


@Admin What happens with the assigned CVE if the finding is not fixed?

Jamie Slome
3 months ago

Admin


If the report is not fixed within 90 days of the report being approved, we can proceed to make the report public and publish the CVE.

hackinkraken
15 days ago

Researcher


@rolandgeider @admin

I reached out to wger a few times and they replied. Thursday, Nov 10th, the official wger Workout Manager Twitter account said they would work on the vulnerabilities this week Nov 13th - 19th.

hackinkraken
10 days ago

Researcher


@admin

May we please proceed with making the CVE public?

I believe we’ve passed the 90 days and I’ve reached out to the maintainer in good faith.

Pavlos
8 days ago

Admin


Has this vulnerability been fixed?

hackinkraken
8 days ago

Researcher


@pavlos @admin

Unsure

Pavlos marked this as fixed in 2.2 with commit 5e3167 5 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
login.html#L1-L31 has been validated
Pavlos published this vulnerability 5 days ago
hackinkraken
5 days ago

Researcher


@pavlos @admin

Thank you

to join this conversation