Craft CMS Rate Limiting / Brute Force

2019.10.30
Credit: Mohammed Abdul Raheem
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2019-15929
CWE: CWE-640


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title : Craft CMS up to 3.1.7 Password Prompt Form Lockout weak authentication # Author [Discovered By] : Mohammed Abdul Raheem # Author's [Company Name] : TrekShield IT Solution Private Limited # Author [Exploit-db] : https://www.exploit-db.com/?author=9783 # Found Vulnerability On : 16-01-2019 # Vendor Homepage:https://craftcms.com/ # Software Information Link: https://github.com/craftcms/demo # Software Affected Versions : CraftCms upto v3.1.7 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : No Rate Limit implemented on Sensitive Actions # CVE : CVE-2019-15929 #################################################################### # Description about Software : *************************** Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. #################################################################### # Vulnerability Description : ***************************** In CraftCMS upto v3.1.7 the elevated session password prompt was not being rate limited like normal login forms, all the sensitive actions were Rate Limited but forgot to implement Rate Limit Protection on Form Change Password leading to the possibility of a brute force attempt on them to guess password. # Impact : *********** This is going to have an impact on confidentiality. An attacker have the possibilities to change accounts password with Brute Force Attack. # Steps To Validate : ********************* 1. Login to CraftCMS account. 2. Go to* https://demo.craftcms.com/ <https://demo.craftcms.com/>*<Token-Here>/s/admin/myacco unt/ 3. Enter New Password and click save 4. Application will ask to enter Current Password. 5. Enter random Password and capture the request with Burp > send to intruder > start attack with payloads you want. # ATTACHED POC : **************** [image: image.png] # More Information Can be find here : ************************************* https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#security-5 ################################################################### # Discovered By Mohammed Abdul Raheem from TrekShield.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top