Skip to content

Bypass bruteforce protection on login form

Low
NicolasCARPi published GHSA-q67h-5pc3-g6jv Oct 22, 2021

Package

elabftw (web app)

Affected versions

<4.1.0

Patched versions

4.1.0

Description

Impact

This vulnerability affects users of the eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header.

Note that the protection that was in place before 4.1.0 was never intended to be unbreakable, and in fact must have caused more troubles to legitimate users rather than a potential attacker.

Patches

This issue has been addressed by implementing state of the art brute force login protection, as recommended by Owasp with Device Cookies.

This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. How it works quickly:

  • a successful login will create a cookie on the device
  • trying too many passwords from an untrusted device (no device cookies) will lock the account
  • a locked account can only log in from a trusted device
  • even a good password guess on a locked account will be unsuccessful

Workarounds

The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.

References

This vulnerability was found and responsibly disclosed by @krastanoel.

See published paper: https://www.exploit-db.com/docs/50436

For more information

If you have any questions or comments about this advisory:

  • Open an issue here
  • Or create a discussion here

Severity

Low

CVE ID

CVE-2021-41171

Weaknesses

Credits