[asterisk-bugs] [JIRA] (ASTERISK-28359) User login page does not apply any form of price determination

ghh ouy (JIRA) noreply at issues.asterisk.org
Thu Mar 28 09:58:47 CDT 2019 

ghh ouy created ASTERISK-28359:
----------------------------------

             Summary:   User login page does not apply any form of price determination  
                 Key: ASTERISK-28359
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28359
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: .Release/Targets
    Affects Versions: Feature Tracker
            Reporter: ghh ouy
            Severity: Minor


Hello I have found more of the bug in your site


/ 1 

  User login page does not apply any form of price determination  


Hi Team,

Summary:

As a best practice a login page should have a rate limitting just

url: https://wiki.asterisk.org/wiki/dologin.action

---------------------

This makes the site vulnerable to brute force attack

Definition of brute force:

The web developer faces a common threat of a password guessing attack known as a brute force attack. Brute Force Attack is an attempt to discover the password by experimenting with each possible set of letters, numbers, and symbols until you discover the correct group that is working.

: poc

1. Configure BurpSuite.

2. Submit a simple login request

3. Repeat this request

You have logged in correctly to ensure that the credentials work, and then you have launched 1000 invalid login, and then login 1001


: Effect

An attacker may try to detect a password by trying every possible combination of letters, numbers, and symbols until it detects the correct mix that works.

: How to fix a problem

It is recommended that certain types of account security be implemented after a specified number of incorrect password attempts.

__________________________---__________________________

/ 2 

  No Rate Limit in email leads to huge Mass mailings  




I noticed when I sent a message to set a new password I could send a large number of messages.

: poc:

1. Use Burp Suite and capture request

2. Click on Send button after entering email address in the input field of.

After checking over 1000 requests you noticed no error,

3. Send the request

4. I noticed that the mail is flooded with lots of requests



: Impact

E-mail bombs hack may create Denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space.


: Remediation 

Rate limiting should be implemented

   ------------------------------------    

To illustrate more you have made a video 
 To prove the existence of more than a bug

poc vedio :

https://drive.google.com/file/d/13YdDoxij7sekllTSPuVnntAfOXQ-VcJZ/view



--------------------------------------------------

 Best regards  


--------------------------------------------------


There is also an update of the existence of something very important
Found when creating a new account
It is possible to set a very weak password consisting of only 123 characters
This makes the brute force attack more dangerous to your site


 POC video to prove this

https://drive.google.com/file/d/1ENbaeLiLqPaecSijeObtkc8c_yulLgb7/view  







--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list