OpenProject Password Change Brute Force Vulnerability Allowing Account Compromise

A vulnerability exists in OpenProject's password change endpoint, prior to version 16.6.2, allowing for brute-force attacks. The endpoint was not protected by the same safeguards as the login form, enabling attackers to send unlimited password change requests for a given account. This could be exploited by guessing or enumerating user IDs, leading to full account compromise. Depending on the user's role, this could result in further privilege escalation within the application.

Impact

Successful exploitation allows for full account compromise of the targeted user, with potential for privilege escalation depending on the user's role.

Reproduction

The vulnerability can be reproduced by sending multiple password change requests to the `/account/change_password` endpoint for a user account, without the requests being throttled or locked out after a certain number of failed attempts. This can be done manually or automated with a script or tool that cycles through common passwords, as long as the user ID is known or can be guessed.

Remediation

Users are advised to upgrade to OpenProject version 16.6.2 or later. The patch can also be applied manually. If an immediate upgrade is not possible, consider restricting unauthenticated use of the password change endpoint, applying rate limits or IP-based throttling, and enforcing strong, unique passwords for all users.