Permalink
Browse files

fix: [security] Brute force protection can be bypased with a PUT request

- fixes an issue where brute forcing the login would work by using PUT requests
- as reported by Silver Saks from CCDCOE
  • Loading branch information...
iglocska committed Jun 21, 2018
1 parent 437793a commit 6ffacc1e239930e0e8464d0ca16e432e26cf36a9
Showing with 6 additions and 6 deletions.
  1. +6 −6 app/Controller/UsersController.php
@@ -856,13 +856,13 @@ public function updateLoginTime() {
}
public function login() {
$this->Bruteforce = ClassRegistry::init('Bruteforce');
if ($this->request->is('post') && isset($this->request->data['User']['email'])) {
if ($this->Bruteforce->isBlacklisted($_SERVER['REMOTE_ADDR'], $this->request->data['User']['email'])) {
throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . Configure::read('SecureAuth.expire') . ' seconds and try again.');
}
}
if ($this->request->is('post') || $this->request->is('put')) {
$this->Bruteforce = ClassRegistry::init('Bruteforce');
if (!empty($this->request->data['User']['email'])) {
if ($this->Bruteforce->isBlacklisted($_SERVER['REMOTE_ADDR'], $this->request->data['User']['email'])) {
throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . Configure::read('SecureAuth.expire') . ' seconds and try again.');
}
}
// Check the length of the user's authkey
$userPass = $this->User->find('first', array(
'conditions' => array('User.email' => $this->request->data['User']['email']),

0 comments on commit 6ffacc1

Please sign in to comment.