[asterisk-bugs] [JIRA] (ASTERISK-28360) User login page does not apply any form of price determination

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Mar 28 10:00:48 CDT 2019 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=246694#comment-246694 ] 

Asterisk Team commented on ASTERISK-28360:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

>   User login page does not apply any form of price determination  
> ------------------------------------------------------------------
>
>                 Key: ASTERISK-28360
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28360
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: .Release/Targets
>    Affects Versions: 16.2.1
>            Reporter: ghh ouy
>            Severity: Minor
>
>   User login page does not apply any form of price determination  
> Hi Team,
> Summary:
> As a best practice a login page should have a rate limitting just
> url: https://wiki.asterisk.org/wiki/dologin.action
> ---------------------
> This makes the site vulnerable to brute force attack
> Definition of brute force:
> The web developer faces a common threat of a password guessing attack known as a brute force attack. Brute Force Attack is an attempt to discover the password by experimenting with each possible set of letters, numbers, and symbols until you discover the correct group that is working.
> : poc
> 1. Configure BurpSuite.
> 2. Submit a simple login request
> 3. Repeat this request
> You have logged in correctly to ensure that the credentials work, and then you have launched 1000 invalid login, and then login 1001
> : Effect
> An attacker may try to detect a password by trying every possible combination of letters, numbers, and symbols until it detects the correct mix that works.
> : How to fix a problem
> It is recommended that certain types of account security be implemented after a specified number of incorrect password attempts.
> __________________________---__________________________
> / 2 
>   No Rate Limit in email leads to huge Mass mailings  
> I noticed when I sent a message to set a new password I could send a large number of messages.
> : poc:
> 1. Use Burp Suite and capture request
> 2. Click on Send button after entering email address in the input field of.
> After checking over 1000 requests you noticed no error,
> 3. Send the request
> 4. I noticed that the mail is flooded with lots of requests
> : Impact
> E-mail bombs hack may create Denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space.
> : Remediation 
> Rate limiting should be implemented
>    ------------------------------------    
> To illustrate more you have made a video 
>  To prove the existence of more than a bug
> poc vedio :
> https://drive.google.com/file/d/13YdDoxij7sekllTSPuVnntAfOXQ-VcJZ/view
> --------------------------------------------------
>  Best regards  
>    ------------------------------------  



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list