No Protection against Bruteforce attacks on Login page in wger-project/wger
Reported on
Jul 23rd 2022
Description
Wger Workout Manager does not limit unsuccessful login attempts allowing Brute Forcing.
Proof of Concept
Steps to Reproduce:
Register a new user
Logout
Send a login request with an incorrect password
Capture the login request
Replay the login request with a different password value utilizing a password list payload
Should the password exist in the password list, a FOUND "Reason" with a Code of "300" will be issued
ZAP will continue attempting all passwords in the password list until complete
OWASP ZAP (Zed Attack Proxy) captured request below
POST http://localhost:8002/en/user/login HTTP/1.1
Host: localhost:8002
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: https://localhost:8002
Connection: keep-alive
Referer: https://localhost:8002/en/user/login
Cookie: csrftoken=dmYHzhEL7jtry2rAuRuXFvfRNfr1ZhKELoaBcBHiD21rMHik5aAno2aJ44SloIAq; sessionid=ezv3ryk6pdpjsruystkuy9igz6nvjcwg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
csrfmiddlewaretoken=6XFt2tC2nJ1s57MtQOmsiBqDnWHylBfBEZRnFNFzTszsjMDdr7sS18lvEL8SK25n&username=username1&password=password&submit=Login
Impact
The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this software be hosted on a website, it may also lead to Denial of Service.
Occurrences
References
Hi! Thanks for reporting this. You are right, at the moment there is no protection against brute force attacks, I'll open an issue on my side
Thank you, Roland. Please keep us updated, I appreciate it.
@admin May we please consider assigning a CVE? Thank you admin and thank you Roland Geider.
Happy to assign and publish a CVE if Roland gives us permission 👍
@Roland - happy for me to proceed with a CVE?
@admin - Thank you for reaching out to Roland. @Roland, thank you very much for approving the CVE go-ahead!
CVE-2022-2650 assigned 🎉
Once the report has been confirmed as fixed by @Roland, the CVE will be published :)
@Admin What happens with the assigned CVE if the finding is not fixed?
If the report is not fixed within 90 days of the report being approved, we can proceed to make the report public and publish the CVE.
@rolandgeider @admin
I reached out to wger a few times and they replied. Thursday, Nov 10th, the official wger Workout Manager Twitter account said they would work on the vulnerabilities this week Nov 13th - 19th.
@admin
May we please proceed with making the CVE public?
I believe we’ve passed the 90 days and I’ve reached out to the maintainer in good faith.