The Plogin function in sb-callback.php is not rate-limited and is susceptible to brute force attacks against a valid user account.
When combined with issues Vulnerability in Forgot Password implementation (#975) and Security: XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login' (#989) allows for the enumeration of valid usernames and the brute forcing of passwords regardless of if the end user disables "Normal Login". This process can be easily automated utilizing known leaked credentials.
Description
CWE-307: Improper Restriction of Excessive Authentication Attempts An attacker can easily utilize
Plogin
to Brute Force a valid user's passwords.Details
The
Plogin
function insb-callback.php
is not rate-limited and is susceptible to brute force attacks against a valid user account. When combined with issues Vulnerability in Forgot Password implementation (#975) and Security: XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login' (#989) allows for the enumeration of valid usernames and the brute forcing of passwords regardless of if the end user disables "Normal Login". This process can be easily automated utilizing known leaked credentials.https://github.com/sbpp/sourcebans-pp/blob/62f2ab7a2062127d3ceb5c2c52dcb01b69aab461/web/includes/sb-callback.php#L104