Headline
CVE-2023-0777: Merge pull request #2767 from modoboa/api-throttling · modoboa/modoboa@47d17ac
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
@@ -16,6 +16,7 @@
from modoboa.core.password_hashers import get_password_hasher from modoboa.core.utils import check_for_updates from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle from modoboa.parameters import tools as param_tools
from smtplib import SMTPException @@ -25,9 +26,20 @@ logger = logging.getLogger(“modoboa.auth”)
def delete_cache_key(class_target, throttles, request): “""Attempt to delete cache key from throttling on login/password reset success.""”
for throttle in throttles: if type(throttle) == class_target: throttle.reset_cache(request) return
class TokenObtainPairView(jwt_views.TokenObtainPairView): “""We overwrite this view to deal with password scheme update.""”
throttle_classes = [LoginThrottle]
def post(self, request, *args, **kwargs): serializer = self.get_serializer(data=request.data) try: @@ -42,6 +54,10 @@ def post(self, request, *args, **kwargs):
user = serializer.user login(request, user)
# Reset login throttle delete_cache_key(LoginThrottle, self.get_throttles(), request)
logger.info( _(“User ‘%s’ successfully logged in”), user.username ) @@ -85,6 +101,8 @@ class EmailPasswordResetView(APIView): An Api View which provides a method to request a password reset token based on an e-mail address. “"”
throttle_classes = [PasswordResetRequestThrottle]
def post(self, request, *args, **kwargs): serializer = serializers.PasswordRecoveryEmailSerializer( data=request.data, context={’request’: request}) @@ -96,6 +114,7 @@ def post(self, request, *args, **kwargs): "type": "email", "reason": “Error while sending the email. Please contact an administrator.” }, 503)
# Email response return response.Response({"type": "email"}, 200)
@@ -114,13 +133,16 @@ def post(self, request, *args, **kwargs): serializer.is_valid(raise_exception=True) except serializers.NoSMSAvailable: return super().post(request, *args, **kwargs)
# SMS response return response.Response({"type": "sms"}, 200)
class PasswordResetSmsTOTP(APIView): “"” Check SMS Totp code. “"”
throttle_classes = [PasswordResetTotpThrottle]
def post(self, request, *args, **kwargs): try: if request.data[“type”] == "confirm": @@ -140,12 +162,15 @@ def post(self, request, *args, **kwargs): "id": serializer_response[1], "type": “confirm” }) delete_cache_key(PasswordResetTotpThrottle, self.get_throttles(), request) return response.Response(payload, 200)
class PasswordResetConfirmView(APIView): “"” Get and set new user password. “"”
throttle_classes = [PasswordResetApplyThrottle]
def post(self, request, *args, **kwargs): serializer = serializers.PasswordRecoveryConfirmSerializer( data=request.data) @@ -159,12 +184,15 @@ def post(self, request, *args, **kwargs): data.update({"errors": errors}) return response.Response(data, 400) serializer.save() delete_cache_key(PasswordResetApplyThrottle, self.get_throttles(), request) return response.Response(status=200)
class ComponentsInformationAPIView(APIView): “""Retrieve information about installed components.""”
throttle_classes = [UserLesserDdosUser]
@extend_schema(responses=serializers.ModoboaComponentSerializer(many=True)) def get(self, request, *args, **kwargs): status, extensions = check_for_updates()
Related news
modoboa version 2.0.4 suffers from an administrative takeover vulnerability.
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.