FileCodeBox IP Rate Limit Bypass Vulnerability Allowing Denial-of-Service and Brute Force Attacks

A vulnerability in the IPRateLimit feature of FileCodeBox versions through 2.2 allows remote attackers to bypass IP-based rate limits and restrictions on failed attempts. This is achieved by spoofing the X-Real-IP and X-Forwarded-For HTTP headers. The flaw can be exploited to conduct denial-of-service attacks or to brute force share codes.

Impact

Exploitation of this vulnerability can lead to bypassing of IP rate limits, allowing for increased upload attempts or brute force attacks on share codes.

Reproduction

The vulnerability can be reproduced by sending requests to the FileCodeBox application with fake IP addresses in the X-Real-IP and X-Forwarded-For headers. This can be done using a script that automates the process, such as one written in Python that uses the aiohttp library to send the requests. The script can be configured to send a large number of requests in a short period of time, simulating a denial-of-service attack.

Remediation

Users are advised to configure their reverse proxy to properly handle and drop the X-Real-IP header, ensuring that only trusted IP information is passed to the FileCodeBox application.