You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
The vulnerability includes a bypass in the implementation of the rate-limiting mechanism, which blocks a malicious actor’s IP address while performing suspicious login attempts toward the system's authentication mechanism. This can be done by appending the "X-Forwarded-For" header to each login request and by that, the backend "considers" this as a new IP address, allowing to carry on with a successful brute force attack.
What did you expect to happen:
Avoid IP spoofing by unsetting the X-Forwarded-For header to determine the originated user’s IP address. If not possible, prevent spoofing of the X-Forwarded-For header in Node.js by configuring Express to trust only specific proxies with known IP ranges using the trustProxy setting and verifying the IP address against a whitelist.
How to reproduce it (as minimally and precisely as possible):
Access the system's login page prior to the authentication phase.
Send multiple login requests to a single user with invalid passwords.
Notice the HTTP 429 status code returned in the response after a couple of attempts, indicating the IP address has been blocked temporarily.
Add the "X-Forwarded-For" header to the request using Proxy tools and set it to a different value on each attempt. (e.g., 127.0.0.1, 127.0.0.2, 127.0.0.3).
Proceed with the brute force attack until a successful attempt has been made to guess the correct user's password.
Obtain unauthorized access to the system using an admin account, for example.
Anything else we need to know?:
Nothing else. I'm available for further questions.
Environment:
Trudesk Version: (Docker) polonel/trudesk:1.2.10
OS (e.g. from /etc/os-release): (Docker) Alpine Linux v3.15.4
Node.JS Version: v16.14.2
MongoDB Version: (Docker) mongo:5.0-focal
Is this hosted on cloud.trudesk.io: No
Below is a PoC:
2024-04-19.12-33-22.mp4
The text was updated successfully, but these errors were encountered:
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
The vulnerability includes a bypass in the implementation of the rate-limiting mechanism, which blocks a malicious actor’s IP address while performing suspicious login attempts toward the system's authentication mechanism. This can be done by appending the "X-Forwarded-For" header to each login request and by that, the backend "considers" this as a new IP address, allowing to carry on with a successful brute force attack.
What did you expect to happen:
Avoid IP spoofing by unsetting the X-Forwarded-For header to determine the originated user’s IP address. If not possible, prevent spoofing of the X-Forwarded-For header in Node.js by configuring Express to trust only specific proxies with known IP ranges using the trustProxy setting and verifying the IP address against a whitelist.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Nothing else. I'm available for further questions.
Environment:
Below is a PoC:
2024-04-19.12-33-22.mp4
The text was updated successfully, but these errors were encountered: