Improper Restriction of Excessive Authentication Attempts in login feature in francoisjacquet/rosariosis

Valid

Reported on

May 23rd 2022


Description

No rate-limiting leads to bruteforce attack in login feature

Steps to reproduce

1.Go to https://www.rosariosis.org/demonstration/

2.Login with any username and password

3.Using Burp and send login POST request to Intruder

4.Create 30 null payloads and start attack

5.Login with correct account and password, got successful login without ban or restrictafter 30 failed attempts.

Video PoC

https://drive.google.com/file/d/1Qs_DnMX18n4bsspvRRlQqpUTR18DKgBG/view?usp=sharing

Impact

This allows attacker to perform a bruteforce attack, lead to account takeover.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François
a month ago

Maintainer


Hello @domiee13

This is configurable, see https://github.com/francoisjacquet/rosariosis/blob/bfe6e00b147a7198badb5e21a0318cfff1886029/index.php#L183=

And go to menu School > Configuration, there you have the "Failed Login Attempts Limit" option.

francoisjacquet/rosariosis maintainer has acknowledged this report a month ago
Domiee13
a month ago

Researcher


Sorry, my bad. I used demo website and don't see this option.

François Jacquet validated this vulnerability a month ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on 5867da a month ago
François Jacquet has been awarded the fix bounty
to join this conversation