Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glFusion CMS 1.7.9 user Login denied vulnerability #487

Closed
Topsec-bunney opened this issue Dec 9, 2021 · 4 comments
Closed

glFusion CMS 1.7.9 user Login denied vulnerability #487

Topsec-bunney opened this issue Dec 9, 2021 · 4 comments
Labels

Comments

@Topsec-bunney
Copy link

We can get username on this link:
http://192.168.255.130/glfusion1.7.9/public_html/users.php?mode=profile&uid=3
firefox_fIwf2EDlUU

So, attacker can get all username .

Then they can always log in to all users with the wrong password, which will prevent all users from logging in to the website normally.

firefox_LrrbnCvHFd

There are two solutions:

  1. set the verification code on the login page

  2. The second is to display the user's nickname instead of the login name

@leegarner
Copy link
Contributor

leegarner commented Dec 9, 2021 via email

@leegarner
Copy link
Contributor

leegarner commented Dec 9, 2021 via email

@mark0263
Copy link
Contributor

As Lee mentioned, the lockout is temporary and in-line with standard practices in performing a temporary lock out to prevent brute force attacks. I don't see this as a vulnerability.

@mark0263
Copy link
Contributor

closing as this is designed behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants