fix: [security] Brute force protection can be bypased with a PUT request

- fixes an issue where brute forcing the login would work by using PUT requests - as reported by Silver Saks from CCDCOE
MISP · Jun 21, 2018 · 6ffacc1 · 6ffacc1
1 parent 437793a
commit 6ffacc1
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php
@@ -856,13 +856,13 @@ public function updateLoginTime() {
 	}
 
 	public function login() {
-		$this->Bruteforce = ClassRegistry::init('Bruteforce');
-		if ($this->request->is('post') && isset($this->request->data['User']['email'])) {
-			if ($this->Bruteforce->isBlacklisted($_SERVER['REMOTE_ADDR'], $this->request->data['User']['email'])) {
-				throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . Configure::read('SecureAuth.expire') . ' seconds and try again.');
-			}
-		}
 		if ($this->request->is('post') || $this->request->is('put')) {
+			$this->Bruteforce = ClassRegistry::init('Bruteforce');
+			if (!empty($this->request->data['User']['email'])) {
+				if ($this->Bruteforce->isBlacklisted($_SERVER['REMOTE_ADDR'], $this->request->data['User']['email'])) {
+					throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . Configure::read('SecureAuth.expire') . ' seconds and try again.');
+				}
+			}
 			// Check the length of the user's authkey
 			$userPass = $this->User->find('first', array(
 				'conditions' => array('User.email' => $this->request->data['User']['email']),