Improper Restriction of Excessive Authentication Attempts in login feature in francoisjacquet/rosariosis

Valid

Reported on

May 23rd 2022

Description

No rate-limiting leads to bruteforce attack in login feature

Steps to reproduce

1.Go to https://www.rosariosis.org/demonstration/

2.Login with any username and password

3.Using Burp and send login POST request to Intruder

4.Create 30 null payloads and start attack

5.Login with correct account and password, got successful login without ban or restrictafter 30 failed attempts.

Video PoC

https://drive.google.com/file/d/1Qs_DnMX18n4bsspvRRlQqpUTR18DKgBG/view?usp=sharing

Impact

This allows attacker to perform a bruteforce attack, lead to account takeover.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
François
a year ago

Maintainer

Hello @domiee13

This is configurable, see https://github.com/francoisjacquet/rosariosis/blob/bfe6e00b147a7198badb5e21a0318cfff1886029/index.php#L183=

And go to menu School > Configuration, there you have the "Failed Login Attempts Limit" option.

francoisjacquet/rosariosis maintainer has acknowledged this report a year ago
Domiee13
a year ago

Researcher

Sorry, my bad. I used demo website and don't see this option.

François Jacquet validated this vulnerability a year ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit 5867da a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation