New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glFusion CMS 1.7.9 user Login denied vulnerability #487
Labels
Comments
|
Currently the full name (could be a nickname) is shown along with the
username. I don't think it would hurt to show only the fullname, if
available, otherwise the user name.
Creating a "nickname" field is interesting, but I suspect most users will
leave it blank if allowed, or use their login names for it as well.
…On Thu, Dec 9, 2021 at 2:12 AM Topsec_bunney ***@***.***> wrote:
We can get username on this link:
http://192.168.255.130/glfusion1.7.9/public_html/users.php?mode=profile&uid=3
[image: firefox_fIwf2EDlUU]
<https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png>
So, attacker can get all username .
Then they can always log in to all users with the wrong password, which
will prevent all users from logging in to the website normally.
[image: firefox_LrrbnCvHFd]
<https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png>
There are two solutions:
1.
set the verification code on the login page
2.
The second is to display the user's nickname instead of the login name
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#487>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Incidentally, it's worth mentioning that the lockout is based on failed
attempts from an IP address, not by user name. So the valid user could
still log into the site. Unless they're sharing a public IP with the
attacker, of course.
…On Thu, Dec 9, 2021 at 9:43 AM Lee Garner ***@***.***> wrote:
Currently the full name (could be a nickname) is shown along with the
username. I don't think it would hurt to show only the fullname, if
available, otherwise the user name.
Creating a "nickname" field is interesting, but I suspect most users will
leave it blank if allowed, or use their login names for it as well.
On Thu, Dec 9, 2021 at 2:12 AM Topsec_bunney ***@***.***>
wrote:
> We can get username on this link:
>
> http://192.168.255.130/glfusion1.7.9/public_html/users.php?mode=profile&uid=3
> [image: firefox_fIwf2EDlUU]
> <https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png>
>
> So, attacker can get all username .
>
> Then they can always log in to all users with the wrong password, which
> will prevent all users from logging in to the website normally.
>
> [image: firefox_LrrbnCvHFd]
> <https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png>
>
> There are two solutions:
>
> 1.
>
> set the verification code on the login page
> 2.
>
> The second is to display the user's nickname instead of the login name
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#487>, or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q>
> .
> Triage notifications on the go with GitHub Mobile for iOS
> <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
> or Android
> <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
>
>
|
|
As Lee mentioned, the lockout is temporary and in-line with standard practices in performing a temporary lock out to prevent brute force attacks. I don't see this as a vulnerability. |
|
closing as this is designed behavior |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We can get username on this link:

http://192.168.255.130/glfusion1.7.9/public_html/users.php?mode=profile&uid=3So, attacker can get all username .
Then they can always log in to all users with the wrong password, which will prevent all users from logging in to the website normally.
There are two solutions:
set the verification code on the login page
The second is to display the user's nickname instead of the login name
The text was updated successfully, but these errors were encountered: