Hi Team,
I hope you are doing well.
Vulnerability Name :- Bypass Password of Shared Files due to Lack of Rate Limit
Vulnerability Description :- Hi Team, I found a vulnerability in which I am able to bypass password protection of shared files due to lack of Rate limit.
Vulnerable URL :- https://efss.qloud.my/index.php/s/7ARMkjXJXAEz2kr
Steps to Reproduce :- 1. Login –> Go to Files –> Set Password.
2. Copy Shared Link.
3. It looks like :- https://efss.qloud.my/index.php/s/7ARMkjXJXAEz2kr
4. Open it in other browser .
5. It asks for password .
6. Enter random password.
7. Capture this request in burp suite.
8. Send to intruder and select that position and paste the payload list.
10. Click on start attack and Boom! after few mins it got bypassed with Response code 303.
It leads to bypass the password of protected share files.
POC Attached
If you need further info I am here to help you.
Thanks and Regards,
BhaRat