EasyAppointments 1.5.0 | Admin Login bruteforce rate limit bypass

Basic Information

Software Type Web App
Software Name EasyAppointments
Affected Version 1.5.0
Software Vendor Alex Tselegidis
Software Link https://github.com/alextselegidis/easyappointments
Severity High
CVSS Score 8.2
CVE Link https://www.cve.org/CVERecord?id=CVE-2024-57602
Affected Assets 3000+
Date of Discovery Dec 22nd, 2024

Description

The admin panel [/index.php/login/validate] endpoint is vulnerable to bruteforce. The application by default relies on rate limiting on server-side but this can easily be bypassed by sleeping between every 8 password attempts.

Reproduce

Please run the following code to test this:
https://gist.github.com/0xHamy/fd3e1d95e114eddcfd91961032eec7fd

At first after brute-forcing repeatedly, I got a 429 error and got rate-limited but this is easily bypass-able if you wait a few seconds after too many failed attempts. My current exploit sleeps for 10 seconds after attempting 8 passwords, within every 24 hours we can attempt 69,120 passwords.

Proof of Concept (PoC) Video

PoC Exploit

https://gist.github.com/0xHamy/fd3e1d95e114eddcfd91961032eec7fd

Mitigation

  • Block IPs after nth number of failed attempts
  • Lock accounts after nth number of failed attempts (recommended)
  • Setup 2FA & apply rate limiting on this as well

    • Patch

    No patch available yet, the maintainer claims that the rate limiting mechanism implemented by the server is enough.



    Posted on: January 10, 2025 11:58 PM