Insufficient Granularity of Access Control in fisharebest/webtrees

Valid

Reported on

Sep 29th 2021


Description

There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address.

Proof of Concept

There is no rate limit password-request , attacker to send unlimited email to victim or any email address.

POST /demo-stable/index.php?route=%2Fdemo-stable%2Fpassword-request%2Fdemo HTTP/1.1
Host: dev.webtrees.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://dev.webtrees.net
Connection: close
Cookie: __Secure-WT-ID=sdh1q5pp24lj80hqqkvqqauamg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

_csrf=afa1QzzcSWAUPfgp1FOXBUWn14DtoVru&email=aravindtestx%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
Greg Roach validated this vulnerability 2 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 9ed332 2 months ago
Greg Roach has been awarded the fix bounty