Monthly Archives: January 2023

Self-Hosted Security Part ? – Taking over Organizr Accounts

Today we have another rate-limiting issue. While this one is not as impactful as the previous one – it’s still fun.

Organizr is a self-hosted application written in PHP that basically helps you self-host other services at your home. It’s nifty application with a surprisingly large amount of functionality. I was recently poking at it to find some security holes, and the first thing I ran across was a rate limiting issue on the login function.

When making a POST request to login, there is a body parameter called loginAttempts. If your login fails, the value of this parameter is incremented (via client side JS) and included in the next login request. When the value reaches a certain number, which is verified in PHP on the backend, the user is locked out.

You can probably see where this is going. Just send it to Burp intruder and never increment the value. Tada!

POST request to login showing the loginAttemps parameter in the request body
loginAttempts is set to 1 and the request is sent to Burp Intruder for brute forcing

The PHP backend will always see the value of loginAttempts as 1, and brute forcing is allowed to occur.

The same endpoint and method is used to rate-limit 2FA code entry, which allows an attacker to also brute force a 2FA code. This takes a bit of time – I haven’t done the math – but it still works. An attacker can just sit back and fire away with Burp Intruder. A successful login will generate cookies that will work for their specified amount of time.

Burp screenshot showing the response when a successful 2FA code is submitted
Burp screenshot showing the response when a successful 2FA code is submitted

This issue has been reported on https://huntr.dev, and this report has also been posted on the Brackish blog.

Taking Over Millions of Accounts, Cameras, Locks, etc.

I recently found a simple bug in the implementation of the password reset process for Chamberlain myQ accounts. You can read the write up here. Fun thing about it is that if your account was taken over, the app won’t boot you (at least for the time period I tested). So you could be sitting there essentially oblivious to this having happened. Chamberlain was great, and they had it fixed in about a week. Still a big fan of their stuff.