flatpressblog / flatpress

FlatPress is a lightweight, easy-to-set-up flat-file blogging engine.
https://flatpress.org
GNU General Public License v2.0
185 stars 57 forks source link

Improper Restriction of Excessive Authentication Attempts #87

Closed melbinkm closed 1 week ago

melbinkm commented 3 years ago

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.

Tested the login function with 100+ wrong passwords and found that there is no restriction implemented to control excessive authentication attempts. POST request with wrong credentials results in 200 and with correct credentials in a 302 response from the server.

Brute Force Attack

The above screenshot shows the test using BurpSuite Intruder tool

azett commented 3 years ago

Thank you very much for testing and reporting this. We will create a fix asap.

azett commented 1 year ago

typo -.-

Fraenkiman commented 1 week ago

Done with 3e96957