Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass account protection #524

Closed
gozan10 opened this issue Nov 5, 2022 · 1 comment
Closed

Bypass account protection #524

gozan10 opened this issue Nov 5, 2022 · 1 comment

Comments

@gozan10
Copy link

gozan10 commented Nov 5, 2022

Hi team,

I found a way to bypass account protection (not blocked when brute-force account).

Step: *this is demo some cases

  1. If I log in wrongly too many times, it will be locked
    image

  2. But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite)
    image

  3. set payload to brute-force and start attack
    image
    image

  4. Result find user (bypass account protection without blocked)
    image
mrbaseman added a commit to mrbaseman/WBCE_CMS that referenced this issue Nov 13, 2022
@mrbaseman
fix for WBCE#524
d394ba3 
usually, ip addresses with multiple failed login attempts should be
blocked. An attacker could bypass this by sending an X-forwarded-for
header and change that IP with each attempt. Since REMMOTE_ADDR
is harder to fake we should first check that one and only if that one is
not set for some reason, rely on other variables.
@instantflorian
Copy link
Contributor

instantflorian commented Dec 3, 2022
edited
Loading

fixed in https://github.com/WBCE/WBCE_CMS/releases/tag/1.5.4. Thanks for reporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@instantflorian @gozan10