New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Business logic bypass of voting multiple times which may lead to DDoS #2351
Comments
|
Can you create an infusion or something for the main site to deal with these vulnerability reports so they are private and then add a github security policy to the repos so people testing know where to report these vulnerabilities ensuring they are disclosing this issue responsibly. Having these reports public and in turn unpatched is horrfic !!! @oosman-rak You really need to be reporting these issues privately and stick to responsible disclosure. If the PHP-Fusion team don't have a system in place is a poor show for them but also for you. Try everything else before making these report public on Github as it puts sites at risk of the very issues you are reporting. |
|
Yup i agree with @base-zero . But please make sure you add me to my issues i have reported till now, so that I an track the status, retest and verify these. Thanks, |
|
I have created a pull request to create this file which can be found here #2352 |
|
@base-zero But will the issues be moved to publicly accessible closed issue section after fixing it, so that it can be referenced later by security community? It will be great if you can do that |
|
@oosman-rak That is going to be down to the PHP-Fusion folks to decided how they handle the reports. However nomally you keep the report private and once the fix has been commited and a new version tagged. You would then wait for a set amount of time to give the public time to install the patch and make a public announcemnt of the vulnerability and CVE's. The PHP-Fusion folks could use the Github Security Advisories tool as the project is on Github. This tool also hooks into the dependbot system make eveyone safer ! Credit can be give in the security advisory on GitHub along with the CVE number if applicable. |
|
@base-zero But to raise a CVE request post fixing the issue I need a reference link that be can publicly accessible so that CVE gets assigned, how do I deal with this? |
|
@oosman-rak Your going to need to wait for PHP-Fusion to come back with some comments to see how they want to deal with this going forward, as its down to them on how they deal with security issue. As for the CVE if they use the Github Security Advisories Tool that is the report for the CVE then once assgined a CVE number the security advisory can be edited to add the CVE number. You can also do private reports for CVE's in a number of different ways but this isn't the place for that conversation, you would need to look into that yourself. |
|
Sure, I totally understand your concern. I'll look into it myself, thanks @base-zero :) But will surely look forward to see PHP-Fusion fix these issues. Apart from this issue there are other 2 issues i have raised around 24 days ago, look forward to see them fixed too :) |
|
Use email below https://github.com/PHPFusion/PHPFusion/security/policy |
|
Don't worry, everything will be fixed soon. We are too busy right now. |
|
Sure, will be reporting future issues using email medium @RobiNN1 , thanks for your taking your time and commenting, really appreciate it! |
|
Also don't use our demos for these tests! Use localhost or own server! |
|
Check again, the user_ip value was blank. Unless you change your IP, you should not be able to vote second time. This vulnerability is not a big issue really, because 99% people wouldn't use a repeater in their system. |
|
@FrederickChan agreed, 99% of normal people won't use it. But definitely an attacker would use it to bypass the application logic and cause DDoS. This was also a major vulnerability. However, it seems to be fixed now. |
|
Yep. Much thanks from the team.
|
|
Hi @JoakimFalk @FrederickChan @RobiNN1 , Can i have my name in the credits section of readme file for reporting the following vulnerabilities:
You can make use of the following name: Mohamed Oosman B S |
Describe the bug
A logged in user can vote multiple times as the application does not limit the user to vote only once which not only bypasses the application logic of altering poll results thereby highly affecting the integrity of the poll results, but may also cause serious DDoS when an attacker encounters this flaw affecting the availability.
Version
PHP-Fusion version 9.03.90.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Screenshots
bandicam.2021-01-13.21-19-25-691.mp4
Additional context
Kindly refer the following link for more details on how to handle DoS
https://owasp.org/www-community/attacks/Denial_of_Service.
The text was updated successfully, but these errors were encountered: