EasyAppointments 1.5.0 | Admin Login bruteforce rate limit bypass
Information
| Software Type | Web App |
|---|---|
| Software Name | EasyAppointments |
| Affected Version | 1.5.0 |
| Software Vendor | Alex Tselegidis |
| Software Link | https://github.com/alextselegidis/easyappointments |
| Severity | High |
| CVSS Score | 8.2 |
| CVE Link | https://www.cve.org/CVERecord?id=CVE-2024-57602 |
| Affected Assets | 1293+ |
| Date of Discovery | Dec 22nd, 2024 |
| PoC Exploit | https://gist.github.com/0xHamy/fd3e1d95e114eddcfd91961032eec7fd |
Description
The admin panel [/index.php/login/validate] endpoint is vulnerable to bruteforce. The application by default relies on rate limiting on server-side but this can easily be bypassed by sleeping between every 8 password attempts.
Reproduce
Please run the following code to test this:
https://gist.github.com/0xHamy/fd3e1d95e114eddcfd91961032eec7fd
At first after brute-forcing repeatedly, I got a 429 error and got rate-limited but this is easily bypass-able if you wait a few seconds after too many failed attempts. My current exploit sleeps for 10 seconds after attempting 8 passwords, within every 24 hours we can attempt 69,120 passwords.
Proof of Concept (PoC) Video
Posted on: January 10, 2025 11:58 PM