Remove use of headers that can be used to bypass anti-brute force controls #1090
+1
−8
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
bl-kernel/security.class.php
, there is some code that will check the number of incorrect login attempts made by a host. If the host makes 10 incorrect attempts, they will be temporarily blocked in order to mitigate brute force attempts.Due to the way the IP address detection is handled, the mechanism can be completely bypassed. The
X-Forwarded-For
andClient-IP
headers are both checked for (presumably in order to try and detect the IP address of people behind proxies). Unfortunately, both of these headers are easily spoofed, and for an attacker that is running an automated brute force, this will make the process significantly easier than say switching between VPNs as each address gets banned.I have included a proof of concept demo below in which you can see a total of 51 requests being made (far exceeding the limit) and successfully recovering my admin password:
This is done by using unique
X-Forwarded-For
addresses for each request. As there is no validation, simply using the value of the password being attempted will work, allowing for a brute force without the risk of locking anyone out at all, as can be seen when inspecting the log file after the brute force has been completed.Although with this change, it means users who are using a shared IP address via a proxy may be blocked if another person using the same IP is trying to brute force the login page, it will make an automated attack significantly more difficult for an attacker and require that they have multiple IP addresses that they can send traffic from.