Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-114

Insufficient Email Authorization Controls

    XMLWordPrintable

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description:
      WORKTERRA provides an interface for sending emails to administrators and WORKTERRA's customer support system. The backend does not rate-limit or validate the destination of these emails.

      Impact:
      A malicious user could use WORKTERRA servers as a spam delivery platform.

      Verification and Attack Information:
      Praetorian verified this finding by intercepting requests to the endpoint responsible for sending emails. A malicious user can modify the destination email address to any email address. Additionally, there are no controls in place to the number of emails sent within a given time frame. This finding was demonstrated by sending 50 emails to a test email account. The figure below shows that the emails are originating from WORKTERRA IP addresses.

      Recommendation:
      Validate the email's destination address on the server-side. Additionally, WORKTERRA should limit the number of emails that a user can send per-minute.

        Attachments

        1. Error Log.txt
          2 kB
          Vijayendra Shinde
        2. server_error.png
          194 kB
          Venkatesh Pujari

          Issue Links

            Activity

              People

              Assignee:
              rashmita.dudhe Rashmita Dudhe (Inactive)
              Reporter:
              vijayendra Vijayendra Shinde (Inactive)
              Developer:
              Niteen Surwase (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Production Due Date: