Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32527

#PT12068_4 - Lack of Throttling on Email Functionality

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Server Security Misconfiguration > No Rate Limiting on Form > Email-Triggering

      Proof of Concept

      1. Login into admin account on https://pentest.beta.nuxeocloud.com
      1. Create a file and go to the permissions tab. Eg. https://pentest.beta.nuxeocloud.com/nuxeo/ui/#!/browse/default-domain/sections/test.html?p=permissions
      1. Now, share the file with an external user and add email and message to be sent in email. Click Send email from Actions as shown in image.
      1. Intercept the request and send it to the intruder and repeat for many times. It will send that many emails to the user.

      Suggested Fix

      1. Use a CAPTCHA to limit email triggering requests.
      1. Use a rate limit per IP address to throttle the amount of email triggering requests that can be made in a certain amount of time.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: