Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Business logic bypass of voting multiple times which may lead to DDoS #2351

Closed
oosman-rak opened this issue Jan 13, 2021 · 16 comments
Closed

Comments

@oosman-rak
Copy link

oosman-rak commented Jan 13, 2021

Describe the bug
A logged in user can vote multiple times as the application does not limit the user to vote only once which not only bypasses the application logic of altering poll results thereby highly affecting the integrity of the poll results, but may also cause serious DDoS when an attacker encounters this flaw affecting the availability.

Version
PHP-Fusion version 9.03.90.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'Poll feature post logging in by clicking the 3 dash button present in the left top corner'
  2. Click on 'Yes/no option of the poll and press on submit'
  3. Intercept this request using intercepting tool like Burp.
  4. Send this to the repeater.
  5. Replay the request multiple times.
  6. Observe that number of votes of the same logged in user gets added successfully.
  7. Upon replaying the requests using some special features like Intruder of Burp, 1000s of votes can be logged in matter of seconds, which not only manipulate the poll results but may lead to serious DDoS attack.

Expected behavior

  1. Limit the logged in user to vote only once by tracking the cookie and IP of the logged in user.
  2. Implement Rate limit feature

Screenshots

bandicam.2021-01-13.21-19-25-691.mp4

Additional context
Kindly refer the following link for more details on how to handle DoS
https://owasp.org/www-community/attacks/Denial_of_Service.

@oosman-rak oosman-rak changed the title User poll feature may lead to DDoS attack User poll feature can be used to vote multiple times which may lead to DDoS attack Jan 13, 2021
@oosman-rak oosman-rak changed the title User poll feature can be used to vote multiple times which may lead to DDoS attack Business logic bypass of voting multiple times which may lead to DDoS Jan 13, 2021
@base-zero
Copy link

base-zero commented Jan 13, 2021

@RobiNN1 @FrederickChan

Can you create an infusion or something for the main site to deal with these vulnerability reports so they are private and then add a github security policy to the repos so people testing know where to report these vulnerabilities ensuring they are disclosing this issue responsibly. Having these reports public and in turn unpatched is horrfic !!!

@oosman-rak You really need to be reporting these issues privately and stick to responsible disclosure. If the PHP-Fusion team don't have a system in place is a poor show for them but also for you. Try everything else before making these report public on Github as it puts sites at risk of the very issues you are reporting.

@oosman-rak
Copy link
Author

oosman-rak commented Jan 13, 2021

Yup i agree with @base-zero . But please make sure you add me to my issues i have reported till now, so that I an track the status, retest and verify these.

Thanks,
Mohamed Oosman B S

@base-zero
Copy link

@RobiNN1 @FrederickChan

I have created a pull request to create this file which can be found here #2352

@oosman-rak
Copy link
Author

oosman-rak commented Jan 13, 2021

@base-zero But will the issues be moved to publicly accessible closed issue section after fixing it, so that it can be referenced later by security community?

It will be great if you can do that

@base-zero
Copy link

base-zero commented Jan 13, 2021

@oosman-rak That is going to be down to the PHP-Fusion folks to decided how they handle the reports. However nomally you keep the report private and once the fix has been commited and a new version tagged. You would then wait for a set amount of time to give the public time to install the patch and make a public announcemnt of the vulnerability and CVE's.

The PHP-Fusion folks could use the Github Security Advisories tool as the project is on Github. This tool also hooks into the dependbot system make eveyone safer ! Credit can be give in the security advisory on GitHub along with the CVE number if applicable.

https://github.com/PHPFusion/PHPFusion/security/advisories

@oosman-rak
Copy link
Author

@base-zero But to raise a CVE request post fixing the issue I need a reference link that be can publicly accessible so that CVE gets assigned, how do I deal with this?

@base-zero
Copy link

base-zero commented Jan 13, 2021

@oosman-rak Your going to need to wait for PHP-Fusion to come back with some comments to see how they want to deal with this going forward, as its down to them on how they deal with security issue. As for the CVE if they use the Github Security Advisories Tool that is the report for the CVE then once assgined a CVE number the security advisory can be edited to add the CVE number. You can also do private reports for CVE's in a number of different ways but this isn't the place for that conversation, you would need to look into that yourself.

@oosman-rak
Copy link
Author

Sure, I totally understand your concern. I'll look into it myself, thanks @base-zero :)

But will surely look forward to see PHP-Fusion fix these issues. Apart from this issue there are other 2 issues i have raised around 24 days ago, look forward to see them fixed too :)

@RobiNN1
Copy link
Contributor

RobiNN1 commented Jan 13, 2021

@RobiNN1
Copy link
Contributor

RobiNN1 commented Jan 13, 2021

Don't worry, everything will be fixed soon. We are too busy right now.

@oosman-rak
Copy link
Author

Sure, will be reporting future issues using email medium @RobiNN1 , thanks for your taking your time and commenting, really appreciate it!

@RobiNN1
Copy link
Contributor

RobiNN1 commented Jan 13, 2021

Also don't use our demos for these tests!
Our servers are overloaded after these tests.

Use localhost or own server!

@FrederickChan
Copy link
Member

Check again, the user_ip value was blank. Unless you change your IP, you should not be able to vote second time.
If you can send another video after this fix, we will reopen this issue.

This vulnerability is not a big issue really, because 99% people wouldn't use a repeater in their system.

@oosman-rak
Copy link
Author

@FrederickChan agreed, 99% of normal people won't use it. But definitely an attacker would use it to bypass the application logic and cause DDoS. This was also a major vulnerability.

However, it seems to be fixed now.

@FrederickChan
Copy link
Member

FrederickChan commented Jan 15, 2021 via email

@oosman-rak
Copy link
Author

oosman-rak commented Jan 17, 2021

Hi @JoakimFalk @FrederickChan @RobiNN1 ,

Can i have my name in the credits section of readme file for reporting the following vulnerabilities:

  1. User Enumeration in Sign in page
  2. CSRF attack leads to deletion of shoutbox messages
  3. Business logic bypass of voting multiple times which may lead to DDoS.
  4. Business Logic Bypass to Add Users with no email, username and password.

You can make use of the following name: Mohamed Oosman B S

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants