Topic: security
Plugin-version: 2.8.3
PHP: independent
Impact: medium
Observation
Rate limiting is used for login attempts. The login is blocked after a configured number of attempts is done.
To avoid a lock down on user, a single login attempt per new ip is allowed even if the user is locked.
With ipv6 also the ip only is used. As customer you get from your internet provider a complete subnet /64. This means you can create 2^64 ipv6 addresses and use them once to try a password. So with ipv6 rate limiting does not work as suggested.
Topic: security Plugin-version: 2.8.3 PHP: independent Impact: medium
Observation
Rate limiting is used for login attempts. The login is blocked after a configured number of attempts is done. To avoid a lock down on user, a single login attempt per new ip is allowed even if the user is locked.
With ipv6 also the ip only is used. As customer you get from your internet provider a complete subnet /64. This means you can create 2^64 ipv6 addresses and use them once to try a password. So with ipv6 rate limiting does not work as suggested.
Solution
Block ipv6 subnets instead of ipv6 address.