New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Branch[3.0.x.x_Maintenance]: Brute Force Attack is possible at the admin login page #8710
Comments
admin has a 3 attempt login only. then u have to reset you r account using for gotten password |
@danielkerr Sir When a person is able to guess the password then there is no need to attempt thrice, he will directly login to the admin section. Account locking is there I agreed but rate limit still works after sending multiple requests on server So, there is no use of account locking then. |
U mean if they already have the password. They should not be able to guess. |
I mean If someone has the database of the leaked passwords(in other terms, database dumps) they can hit & try on it & easily can find out/guess the correct admin details for that particular site because in case of correct details it is showing different status & length for the http request. |
I'll be adding 2 fact. Auth after next big version |
Ok that's Good. But for now you can fix it by just keeping the length & status same as of the case of wrong password(this thing is already working properly for the customer login, you can check there). |
@danielkerr sir please reopen this issue as well, as there is no account locking facility available for the admin login attempts(this facility is only available for the customer/affiliate login only), |
it locks after 3 or 5 wrong attempts.
…On Wed, Oct 21, 2020 at 3:16 PM Vrinda Sharma ***@***.***> wrote:
@danielkerr <https://github.com/danielkerr> sir please reopen this issue
as well, as there is no account locking facility available for the admin
login attempts(this facility is only available for the customer/affiliate
login only),
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#8710 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGYFTHJ3RPUOM4PGATAGPTSL2DDTANCNFSM4SRXFRZA>
.
|
@danielkerr this is not working. Please reopen this issue. To resolve this issue I can use the hardcoded no of login attempt or use the same login attempt which are defined for the customer login in the store setting |
@danielkerr Please let me know so that fixed this issue ASAP. |
it already account locks. if wrong 3 attempts |
@danielkerr In the admin side there is no login lock, only for customers. |
@danielkerr I think we have to implement the user failed login attempt as the customer. For this, we have to create a table to store the user failed attempts. |
@Webkul-Opencart: I have also provided the codes to handle affiliates as a separate table for the orders last week on the Pull Requests. There are lack of concepts regarding affiliates on the database, indeed. In fact, not only affiliates should be reverted as customer to validate their failed logins but the affiliate accounts should be deactivated for security reasons due to those failed attempts to login. |
change the directory or put it behind an ip restricted firewall. |
login attempts #9058 |
fixed in maintenance-branch |
i already updated the master branch. it should be working now. the version
u are using is a development branch so it will break now and again.
…On Tue, Mar 2, 2021 at 12:10 AM evaland999 ***@***.***> wrote:
admin has a 3 attempt login only. then u have to reset you r account using
for gotten password
Dear danielkerr
So sorry so rude to ask you.
May I ask about the Master Branch.
Can it can be downloaded to install to try.
Actually I downloaded it and try install but get the error
I use PHP 8.0 to test
Would you mind help answer me about this question
[image: install]
<https://user-images.githubusercontent.com/79344209/109524600-b0614500-7aeb-11eb-92bd-2f3e53ff96be.JPG>
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#8710 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGYFTCTZJ5IXJ5YWQCIXHTTBO4ALANCNFSM4SRXFRZA>
.
|
Dear danielkerr |
Dear Danielkerr:Really sorry Bother you again.Actually I am Not a programmer, I am just a user of opencart.I am using OC2.0.2 more than at least 6 years to be my Live shopping website.And I have bought at least 100 different kind of extension to use on my Live shop.Until today I have at least 30 extensions still working on my site.I must appreciate you and all the other developers first ,because OC helps me a lot,helps my business really a lot. But you can see That my OC 2.0.2 is too old ,Not only have many issues on it,and more and more extensions don't support 2.0.2 anymore.And most importantly is the speed of 2.0.2 is much slower than other versions of OC. Maybe you have a question now "Why I don't upgrade my 2.0.2 when you have released the new versions of OC such as 2.3 ,2.3xx or even 3.xx" My reason is simple"as a site owner and operator ,keep my site very stable is most important"And honestly I don't want spend too much on upgrade or improve the performance of OC,unless I need new extensions.I put all my focus on earning more business from my website. But my OC2.0.2 is really too old,Recently I think a lot of some unstopped about reason such as "My OC really run slowly"So I made a important decision," Sir.I really hope I can get answers from you about my questions below,Your answer will Make up my mind what to do next. 2.If you are not planning to release the latest version of OC in a short time**.I will download 3.0.3.7 to build a brand new OC and move all my necessary data to it.Then waiting you OC 4.xx released and then I upgraded from 3.0.3.7 to OC4.xx.** Sir my second question"Can I really Upgrade from 3.0.3.7 to 4.xx" .I am afraid of OC 3.xx can't upgrade to 4.xx.If I install and start using OC 3.xx ,but I can't upgrade it to 4.xx .You can imagine that will be super bad news to me. Dear Sir,can you help answer for my last 2 questions. |
I'm supposed it still works. PHP keep changing how things work. I'm very
close to a release. There's lots happening in the background. Things are moving and a
new release is coming.
…On Tue, 2 Mar 2021, 15:52 evaland999, ***@***.***> wrote:
i already updated the master branch. it should be working now. the version
u are using is a development branch so it will break now and again.
… <#m_-1128566370577735967_>
On Tue, Mar 2, 2021 at 12:10 AM evaland999 *@*.***> wrote: admin has a 3
attempt login only. then u have to reset you r account using for gotten
password Dear danielkerr So sorry so rude to ask you. May I ask about the
Master Branch. Can it can be downloaded to install to try. Actually I
downloaded it and try install but get the error I use PHP 8.0 to test Would
you mind help answer me about this question [image: install]
https://user-images.githubusercontent.com/79344209/109524600-b0614500-7aeb-11eb-92bd-2f3e53ff96be.JPG
— You are receiving this because you were assigned. Reply to this email
directly, view it on GitHub <#8710 (comment)
<#8710 (comment)>>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABGYFTCTZJ5IXJ5YWQCIXHTTBO4ALANCNFSM4SRXFRZA
.
Dear Danielkerr:Really sorry Bother you again.Actually I am Not a
programmer, *I am just a user of opencart.I am using OC2.0.2 more than at
least 6 years to be my Live shopping website*.*And I have bought at least
100 different kind of extension to use on my Live shop.Until today I have
at least 30 extensions still working on my site*.*I must appreciate you
and all the other developers first ,because OC helps me a lot,helps my
business really a lot.*
But you can see That my OC 2.0.2 is too old ,Not only have many issues on
it,and more and more extensions don't support 2.0.2 anymore.And most
importantly is the speed of 2.0.2 is much slower than other versions of OC.
Maybe you have a question now "Why I don't upgrade my 2.0.2 when you have
released the new versions of OC such as 2.3 ,2.3xx or even 3.xx"
My reason is simple"as a site owner and operator ,keep my site very stable
is most important"And honestly I don't want spend too much on upgrade or
improve the performance of OC,unless I need new extensions.I put all my
focus on earning more business from my website.
But my OC2.0.2 is really too old,Recently I think a lot of some unstopped
about reason such as "My OC really run slowly"So I made a important
decision,"
I will must build a whole new OC and move all the necessary data to this
brand new OC"
Sir now you can know I am a very senior user and have Very long experience
using of OC.*But I don’t understand the modification of the program or
the understanding of the core program.*
Sorry again for making you read my words so long.
Sir.I really hope I can get answers from you about my questions below,Your
answer will Make up my mind what to do next.
Can you answer me:
1.*When you will release the latest version of OC*,I mean A.K.A OC 4.xx
.As my words above sir,I hope to install The Latest version of OC,Because I
will use it for a long time Like my old 2.0.2.
Unless I get the Special circumstances,to upgrade the latest OC will be my
last action.
2.If you are not planning to release the latest version of OC in a short
time***.I will download 3.0.3.7 to build a brand new OC and move all my
necessary data to it.Then waiting you OC 4.xx released and then I upgraded
from 3.0.3.7 to OC4.xx.***
The reason I hope to own your Latest OC4.xx is it use "Real PHP8.xx" and I
know PHP 8.xx is much faster then 7.xx
Because "Website speed" made me must to give up my old 2.0.2
Sir my second question"Can I really Upgrade from 3.0.3.7 to 4.xx" .I am
afraid of OC 3.xx can't upgrade to 4.xx.If I install and start using OC
3.xx ,but I can't upgrade it to 4.xx .You can imagine that will be super
bad news to me.
Dear Sir,can you help answer for my last 2 questions.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#8710 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGYFTCM47SVSNAVOCX4EJTTBSKKXANCNFSM4SRXFRZA>
.
|
|
No. There are tons of bugs after PHP8 updates. Lots of :void functions trying to return results. Or trying to return wrong type. Actually nobody understands why this change was needed. OC4 was quite stable on both PHP7.3 an PHP8 for a while. Bugs could be fixed in future minor releases. IMHO, Daniel should better move to Bootstrap 5 + jQuery, instead of spending time for PHP8 features. I think release will be delayed for another 2 months now. There are still tons of questions about events and extensions. Main is how to modify default SQL code for extensions. |
it will not be 2 months! |
Dear Danielkerr |
OC4 has absolutely different structure from OC3. Moving from OC3 to OC4 = build a new website. But take to account, that even after OC4 release it will take time untill extensions for it become available in the marketplace. |
Thanks for the head up . |
going to add a account freeze and reactivate via email link after version 4 is released. |
I have integrated the new login method in both libraries on the opencart-3 repository. Could someone confirm if the password still shows after implementing this? |
What version of OpenCart are you reporting this for?
Test Environment--
-- opencart version: Version 3.0.3.6
Describe the bug
when apply the brute force attack at the admin login page then it is showing the totally different status & length value for the correct password i.e 302, 351 simultaneously & for all the other wrong password it is showing the same status & length value. So, it is easy to guess the right password in the brute force attack.
Expected behavior
The status & length should be same for the correct password as that of the wrong passwords.
Recommendations
Screenshots / Screen recordings
Server / Test environment (please complete the following information):
opencart version: 3.0.3.6
operating system: Ubuntu 16.04 LTS
PHP version-- 7.4.11
browser/browser version: 81.0 (64-bit) Mozilla Firefox
The text was updated successfully, but these errors were encountered: