ezBookkeeping 0.7.0 - Login Bruteforce
Basic Information
| Software Type | Web App |
|---|---|
| Software Name | ezBookkeeping |
| Affected Version | 0.7.0 |
| Software Vendor | Mayswind |
| Software Link | https://github.com/mayswind/ezbookkeeping |
| Severity | High |
| CVSS Score | 8.5 |
| CVE Link | https://www.cve.org/CVERecord?id=CVE-2024-57603 |
| Affected Assets | 100+ |
| Date of Discovery | Dec 27, 2024 |
Description
The login endpoint at
There is no rate limit protection or captcha and the application remains vulnerable to attack by default.
/api/authorize.json is vulnerable to brute-forcing on both username and password.
There is no rate limit protection or captcha and the application remains vulnerable to attack by default.
Reproduce
Open the login page:
Enter a username and password, intercept the request with a proxy such as BurpSuite and you will see the following HTTP request being sent:
If you send a request with a wrong password, you get the following response:
This error code can be used as a condition to create a script and figure out which passwords are incorrect and which one is correct.
http://10.0.0.94/desktop#/login
Enter a username and password, intercept the request with a proxy such as BurpSuite and you will see the following HTTP request being sent:
POST /api/authorize.json HTTP/1.1
Host: 10.0.0.94
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Timezone-Offset: -300
Content-Length: 44
Origin: http://10.0.0.94/
Connection: keep-alive
Referer: http://10.0.0.94/desktop
Priority: u=0
{"loginName":"man1","password":"1234567890"}
If you send a request with a wrong password, you get the following response:
{"errorCode":201002,"errorMessage":"login name or password is wrong","path":"/api/authorize.json","success":false}
This error code can be used as a condition to create a script and figure out which passwords are incorrect and which one is correct.
Proof of Concept (PoC) Video
PoC Exploit
https://gist.github.com/0xHamy/edbf260d4ab6bb9628148bb376619292
Mitigation
- Rate Limiting
- Limit the number of login attempts allowed per user/IP to a reasonable threshold (e.g., 5 attempts per minute).
- Account Lockout
- Temporarily lock accounts after a defined number of failed login attempts (e.g., 3–5 attempts).
- Notify users of lockout events via email.
- Captcha
- Add CAPTCHA challenges after multiple failed attempts to deter automated attacks.
- Password Policy
- Enforce strong password requirements.
- Recommend users enable 2FA.
Patch
A patch will be issued as part of a new enhancement: https://github.com/mayswind/ezbookkeeping/labels/enhancement
Posted on: January 01, 2025 10:03 AM