backdrop / backdrop-issues

Issue tracker for Backdrop core.
145 stars 40 forks source link

User edit form does not use flood control and allow for password brute force attacks #6452

Open avpaderno opened 7 months ago

avpaderno commented 7 months ago

This is the equivalent of [D7] User edit form does not use flood control and allow for password brute force attacks and User edit form does not use flood control and allow for password brute force attacks.

Essentially, having access to a user edit form (the original issue says "if an attacker is able to get a user's session cookie"), it is possible to try to guess the account password by brute force, since there is no limit to the number of try that can be done, which are usually under flood control.

Any change to the password should be under flood control.

As a side note, the Drupal 8+ (now Drupal 11) issue is postponed because the flood control code is refactored and moved in a Drupal service. Such change is not necessary in Backdrop, which does not use Symfony services.

avpaderno commented 7 months ago

I cannot see why the tests are failing. The test code I added should be correctly copied.

stpaultim commented 7 months ago

@kiamlaluno - Can you provide any guidance on how to test this issue?

avpaderno commented 7 months ago

@stpaultim Leaving out the "get a user's session cookie" part, try editing an existing user account by changing its mail, and putting a wrong password in the Current password field. Then, click on the Save button.
In the PR preview site, change the email address for the admin account to admin2323@example.com (for example) and enter a random string in the Current password field.

A plain Backdrop site will allow you to keep putting a wrong password in that field and clicking on Save; it will always show Your current password is missing or incorrect; it's required to change the Email address.
With the PR, the site would still show that error message, but at the sixth time it will show Sorry, you have entered incorrect password more than 5 times. Changes to fields that require current password are temporarily blocked. Try again later.

(It shows more than 5 times because the flood limit by default is five failed attempts every six hours.)

stpaultim commented 7 months ago

I can confirmed the problem with an existing test site and verified that the problem appears to be solved on the sandbox site. To test, I did the following:

1) Changed the email addres for the admin account 2) Tried repeatedly to save my changes after entering an incorrect password. 3) On the sixth atttempt I got this message.

image

Still failing some tests.