VirtFusion Excessive Authentication Vulnerability in Email Change Handler

A vulnerability allowing excessive authentication attempts has been identified in VirtFusion versions through 6.0.2. This issue arises in the Email Change Handler component, specifically within the file '/account/_settings'. The vulnerability allows for automated brute-force attacks on verification tokens, potentially leading to verification bypass and, in some cases, account takeover.

Impact

Exploitation of this vulnerability allows for automated brute-forcing of email verification tokens, bypassing the verification process. This could exhaust system resources, causing a denial-of-service-like effect, and may lead to account takeover if the email change process is linked to account recovery procedures.

Reproduction

The vulnerability can be reproduced by initiating an email change through the '/account/_settings' endpoint. After receiving a verification token at the new email address, the token can be brute-forced by sending repeated POST requests to the '/account/_email-verify-code' endpoint with guessed numeric codes. The absence of effective rate-limiting or lockout mechanisms allows this process to be automated, eventually resulting in a successful verification.

Remediation

It is recommended to implement per-IP and per-account rate limiting, replace numeric one-time passwords with cryptographically secure random tokens, require password or multi-factor authentication before changing the primary email, and add rules to the web application firewall or Cloudflare for additional protection.