sbpp / sourcebans-pp

Admin, ban, and comms management system for the Source engine
https://sbpp.github.io/
Creative Commons Attribution Share Alike 4.0 International
338 stars 173 forks source link

Security: XAJAX API 'Plogin' Vulnerable to Brute Force Attacks #990

Closed butt0n-sudo closed 1 week ago

butt0n-sudo commented 2 months ago

Description

CWE-307: Improper Restriction of Excessive Authentication Attempts An attacker can easily utilize Plogin to Brute Force a valid user's passwords.

Details

The Plogin function in sb-callback.php is not rate-limited and is susceptible to brute force attacks against a valid user account. When combined with issues Vulnerability in Forgot Password implementation (#975) and Security: XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login' (#989) allows for the enumeration of valid usernames and the brute forcing of passwords regardless of if the end user disables "Normal Login". This process can be easily automated utilizing known leaked credentials.

https://github.com/sbpp/sourcebans-pp/blob/62f2ab7a2062127d3ceb5c2c52dcb01b69aab461/web/includes/sb-callback.php#L104

1725399160_grim

Rushaway commented 2 months ago

Thanks, a fix will come later this weekend.