search

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
32 stars 22 forks source link

Bypass account protection #524

Closed gozan10 closed 1 year ago

gozan10 commented 1 year ago

Hi team,

I found a way to bypass account protection (not blocked when brute-force account).

Step: *this is demo some cases

  1. If I log in wrongly too many times, it will be locked image

  2. But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite) image

  3. set payload to brute-force and start attack image image

  4. Result find user (bypass account protection without blocked) image

instantflorian commented 1 year ago

fixed in https://github.com/WBCE/WBCE_CMS/releases/tag/1.5.4. Thanks for reporting.