-
Type: Clean up
-
Status: Resolved
-
Priority: Minor
-
Resolution: Fixed
-
Affects Version/s: 8.3
-
Fix Version/s: 8.10
-
Component/s: Security, Web Common
-
Tags:
-
Sprint:nxfit 8.4.3, nxfit 8.4.5
-
Story Points:5
URL/Location
https://bounty.nuxeo.com/nuxeo/login.jsp
Parameter
vulnerable endpoint: https://bounty.nuxeo.com/nuxeo/nxstartup.faces
Description
hi
the login form transmit data via POST request.
but at the same time,the API accept data using a GET request like this:
https://bounty.nuxeo.com/nuxeo/nxstartup.faces?user_name=test&user_password=test&language=fr_FR&requestedUrl=&forceAnonymousLogin=&form_submitted_marker=&Submit=Connexion
API should only accept POST request here!
as a POC,i can't find a good scenario on how to exploit this!
maybe this could be a bug and not a vulnerability!
some times this is used to bypass captcha and rate limiting on login form!
hope that you just provide me with more information if Nuxeo use any protection on login form,to see if this could help to bypass it or no!
at the same time,this need fix!
thanks.
Proof of concept
this is the login endpoint:
i used test as a username and password!
you can test it with a valid credential by changing the user_name= and user_password value
then you will login succefully!