ezBookkeeping 0.7.0 - Login Bruteforce
Information
| Software Type | Web App |
|---|---|
| Software Name | ezBookkeeping |
| Affected Version | 0.7.0 |
| Software Vendor | Mayswind |
| Software Link | https://github.com/mayswind/ezbookkeeping |
| Severity | High |
| CVSS Score | 8.5 |
| CVE Link | https://www.cve.org/CVERecord?id=CVE-2024-57603 |
| Affected Assets | 100+ |
| Date of Discovery | Dec 27, 2024 |
| PoC Exploit | https://gist.github.com/0xHamy/edbf260d4ab6bb9628148bb376619292 |
Description
The login endpoint at /api/authorize.json is vulnerable to brute-forcing on both username and password.
There is no rate limit protection or captcha and the application remains vulnerable to attack by default.
Reproduce
Open the login page:http://10.0.0.94/desktop#/login
Enter a username and password, intercept the request with a proxy such as BurpSuite and you will see the following HTTP request being sent:
POST /api/authorize.json HTTP/1.1
Host: 10.0.0.94
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Timezone-Offset: -300
Content-Length: 44
Origin: http://10.0.0.94/
Connection: keep-alive
Referer: http://10.0.0.94/desktop
Priority: u=0
{"loginName":"man1","password":"1234567890"}
If you send a request with a wrong password, you get the following response:{"errorCode":201002,"errorMessage":"login name or password is wrong","path":"/api/authorize.json","success":false}
This error code can be used as a condition to create a script and figure out which passwords are incorrect and which one is correct.
Proof of Concept (PoC) Video
Posted on: January 01, 2025 10:03 AM