You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Plogin function in sb-callback.php is not rate-limited and is susceptible to brute force attacks against a valid user account.
When combined with issues Vulnerability in Forgot Password implementation (#975) and Security: XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login' (#989) allows for the enumeration of valid usernames and the brute forcing of passwords regardless of if the end user disables "Normal Login". This process can be easily automated utilizing known leaked credentials.
Description
CWE-307: Improper Restriction of Excessive Authentication Attempts
An attacker can easily utilize
Plogin
to Brute Force a valid user's passwords.Details
The
Plogin
function insb-callback.php
is not rate-limited and is susceptible to brute force attacks against a valid user account.When combined with issues Vulnerability in Forgot Password implementation (#975) and Security: XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login' (#989) allows for the enumeration of valid usernames and the brute forcing of passwords regardless of if the end user disables "Normal Login". This process can be easily automated utilizing known leaked credentials.
sourcebans-pp/web/includes/sb-callback.php
Line 104 in 62f2ab7
The text was updated successfully, but these errors were encountered: