| Título | VirtFusion Ltd. VirtFusion 6.0.2 Authentication / Broken Authentication (Brute-forceable OTP / Mi |
|---|
| Descripción | During authorized penetration testing of VirtFusion v6.0.2 (self-hosted instance behind Cloudflare + Nginx), the email-change verification flow was found vulnerable to automated brute force:
The flow: POST /account/_settings initiates an email change. The system issues a numeric verification token to the new email address. The token verification endpoint is POST /account/_email-verify-code accepting JSON {"code":"#########"}.
Observations: The token is numeric and short (9 digits observed). The verification endpoint did not implement effective per-IP or per-account rate-limiting, lockouts, CAPTCHA, or session invalidation. In testing, the endpoint accepted over 100,000 automated POST attempts without returning 429 or otherwise blocking the actor; eventually a request returned {"success": true}.
Impact: This allows automated brute-force of verification tokens and verification bypass. It creates risk for resource exhaustion (DoS-adjacent) and — depending on how email ownership is used in password recovery or account recovery flows — may escalate to account takeover in some deployments.
Proof-of-concept (sanitized): authenticate to a test account, POST /account/_settings with a new email, then repeatedly POST /account/_email-verify-code with guessed numeric codes until { "success": true } is returned. No exploit scripts are provided; aggregate request counts and timestamps available upon request (sanitized).
Mitigation (recommended): enforce per-IP & per-account rate limiting (e.g., lock after 5 failed attempts), replace numeric OTP with cryptographically-secure random tokens (≥128-bit, single-use, session-bound, TTL 10–15 minutes), require password/MFA prior to changing primary email, add WAF/Cloudflare rules and Nginx limit_req as defense-in-depth, log and alert on abnormal verification volumes.
Attack type:
Brute-force / Authentication bypass (HTTP POST automation to verification endpoint)
Impact:
Authentication/Integrity/Availability — allows token brute-force and verification bypass; possible escalation to account takeover if linked to recovery flows.
Affected components / endpoints:
POST /account/_settings — initiates email-change
POST /account/_email-verify-code — verifies one-time code
Token generation & verification logic for email-change flow
Session/token handling around email-change
Attack vector(s) / exploitation method:
Network. Authenticated attacker scripts repeated POST requests to /account/_email-verify-code with guessed numeric codes (9-digit observed). Endpoint processes very high volumes (>100k) without returning 429 or invalidating session; eventually a request returned {"success": true}.
CVSS (conservative estimate):
Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L — Base ≈ 5.3 (Medium)
(If vendor confirms the flow can be used to takeover accounts via password-reset interaction, severity may rise to High/Critical.)
Discovery / Reporter:
Discovered during authorized penetration testing by Abdullah (handle: @abdullah0x1337) on 2025-10-16. Contact: [email protected]
.
Has vendor been contacted?
Yes — vendor notified by email on 2025-10-16. (If VulDB requires an acknowledgement screenshot, I can provide the sanitized email copy/timestamp.) |
|---|
| Usuario | 0xfun (UID 91693) |
|---|
| Sumisión | 2025-10-16 08:14 (hace 6 meses) |
|---|
| Moderación | 2025-10-26 18:15 (10 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 329982 [VirtFusion hasta 6.0.2 Email Change /account/_settings divulgación de información] |
|---|
| Puntos | 17 |
|---|