ESkooly - Broken Authentication

Introduction

Authentication mechanisms are critical to securing any web application. Broken authentication vulnerabilities can lead to unauthorized access and privilege escalation, posing significant security risks. This post delves into the broken authentication findings from the Eskooly security report and explains the associated CVEs, highlighting how these vulnerabilities were discovered and their potential impacts.

Broken Authentication Findings

The security assessment of Eskooly Free Online School Management Software v.3.0 revealed several critical vulnerabilities under the category of "Broken Authentication." These vulnerabilities include issues like weak password policies, lack of multi-factor authentication (MFA), inadequate account lockout mechanisms, and improper handling of user accounts and HTTP response headers.

Key Findings

  1. Brute Force Attack

  • Description:

The system allows unlimited login attempts without locking out the account after several failed attempts, making it vulnerable to brute force attacks.

  • Impact:

An attacker can repeatedly attempt passwords until they find the correct one, leading to unauthorized access.

An attacker can perform a brute-force attack on the login endpoint, trying different password combinations until successful.

  1. Weak Password Policy

  • Description:

The application enforces weak password policies that do not require complex passwords, making it easier for attackers to guess passwords.

  • Impact:

Increases the likelihood of successful brute-force and dictionary attacks.

Registering and logging in with simple passwords like "123456" or "password" allows attackers to easily compromise accounts.

  1. No Account Lockout

  • Description:

The system does not lock accounts after multiple failed login attempts, allowing attackers to persist in brute force attacks.

  • Impact:

Facilitates unauthorized access through persistent password guessing.

An attacker can continually attempt to guess passwords for a user account without being locked out, eventually succeeding.

  1. Use of Single-Factor Authentication

  • Description:

The application relies solely on passwords for authentication, lacking the additional security provided by multi-factor authentication (MFA).

  • Impact:

Single-factor authentication makes it easier for attackers to gain access if passwords are compromised.

An attacker who acquires a user's password through phishing or social engineering can log in without needing a second form of verification.

  1. Inadequate Password Update Verification

  • Description:

The system allows password changes without verifying the current password, making it easier for attackers to change user passwords if they gain initial access.

  • Impact:

Facilitates account takeover if attackers can initiate password changes without the current password.

  • Linked CVE:

    • CVE-2024-27715

  • Example Exploitation:

An attacker logged in with a compromised session can change the account password without needing the original password, locking out the legitimate user. Impact of These Vulnerabilities:

Conclusion

The combined impact of these broken authentication vulnerabilities is severe. They allow attackers to:

Gain unauthorized access to user and administrative accounts. Escalate privileges within the application. Compromise sensitive user data and application integrity. Perform unauthorized actions, such as modifying or deleting data.

Last updated