Mayswind ezBookkeeping Privilege Escalation Vulnerability via Token Component

A privilege escalation vulnerability has been identified in Mayswind ezBookkeeping version 0.7.0. This issue allows remote attackers to escalate privileges by exploiting the token component. The vulnerability arises from a lack of rate limiting and monitoring on the backup code verification process, which is intended to be a secure alternative for two-factor authentication (2FA). Attackers can brute-force backup codes after obtaining a valid authentication token, bypassing 2FA and gaining full access to user accounts.

Impact

Exploitation of this vulnerability leads to unauthorized access to user accounts, allowing attackers to bypass two-factor authentication, access sensitive user data, and make unauthorized changes to account information, such as email addresses.

Reproduction

To reproduce this vulnerability, log into an account and navigate to the 2FA settings. After enabling 2FA, obtain a valid token by logging in with correct credentials. Then, use the token to submit backup codes through the '/api/2fa/recovery.json' endpoint. The application does not limit the number of backup code attempts, allowing for systematic brute-forcing. Once a correct backup code is found, the application grants access to the account, where further actions, such as changing the email address, can be performed.

Remediation

The latest daily build of ezBookkeeping includes rate limiting for password and token verification attempts, addressing the brute-force vulnerability. Users are advised to update to this version.