Lucene search
Nehalr777A6DF4BAD-3382-4ADD-8918-760D885690F6HistorySep 22, 2022 - 3:37 p.m.
No rate limit on old password parameter allows attacker to bruteforce the existing password and set a new password
2022-09-2215:37:04
nehalr777
www.huntr.dev
17
password change
bruteforce attack
rate limit
security vulnerability
web application
0.002 Low
EPSS
Percentile
57.2%
Description
There is no rate limit on the password change feature on https://rdiffweb-demo.ikus-soft.com/prefs/general# which allows an attacker to bruteforce the old password and set a new password for the account
Proof of Concept
- Go to https://rdiffweb-demo.ikus-soft.com/prefs/general#
- Here you will see a password change feature
- In the “old password” field enter any random string and in the “new password” and “confirm new password” field set the new password for the victim account
- Capture the request using burpsuite and perform a bruteforce attack on the old password field
- Due to the absence of rate limit on this endpoint an attacker can easily change the password of victim account
Attack Scenario: Let us consider a situation in which a victim is using a public device , in a library or cafe and forgets to log out of his account and an attacker gets access to this device .
References
Related
prion
prion
Design/Logic Flaw
2022-10-06 18:16:00
nvd
nvd
CVE-2022-3273
2022-10-06 18:16:20
veracode
veracode
Information Disclosure
2022-10-07 11:20:33
cve
cve
CVE-2022-3273
2022-10-06 18:16:20
cvelist
cvelist
github
github
osv
osv
rdiffweb does not have a rate limit on incorrect password attempts to prevent brute force attacks
2022-10-06 18:52:04
CVE-2022-3273
2022-10-06 18:16:20