• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item7923: Make it harder to crack user account
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Urgent | Confirmed | patch | 6.1.1 |
Edit Form Data
Detail
Originally reported by Alexander Hook:
- 2020-11-16
User Account Hacking There are two reasons why I am able to hack user accounts.This will be fixed and released in the upcoming patch release. -- TWiki:Main/PeterThoenyDescription: There is no mitigation, defenses in any way or a lockout mechanism in the login page. A malicious minded user can continually try to brute force an account password. I have tried to input 101 passwords (100 Wrong and One original Password) and I have not been locked out, tried the correct password in the 123456789 time and it login successfully. As I observe on other websites they have a lock out mechanism if a user tries to input 20 incorrect passwords. So you should also have a lock out mechanism for user accounts security. Note : Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords but in original Password have different means anyone can access easily User Account Password. My other point is you also have a weak password policy and i am able to take any password like this ''123456789'' which is a very weak password and can easily be guessed by an attacker Proof of concept: Attaching screenshots as a proof of concept in which you can see that after trying many random passwords there is no lock out mechanism and also it is easily identifiable which password is the correct one of the user account. In the screenshot Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords and in original Password have different means anyone can access easily User Account Password. you can see that I use more than 100 wrong passwords but still I am able to use the right password after 100 wrong password requests. So for the security reasons there should be a lock out mechanism after trying many wrong password requests. So an attacker will not be able to hack any user account by making random password requests and you also have a weak password policy so it is easy for an attacker to hack any user account. Steps to Reproduce : 1.Go to login form. 2.Enter any registered email with the wrong password. 3.Capture the request & Send the request to Intruder and add a Payload Marker on the password value. 4.Add the payload for the password field having a list of more than 100 passwords or more for test and start attack. BOOM! Impact: 1- There is no lockout mechanism Attacker can Do a lot of Try attacker Can Brute force The Victim login details as i shown in the screen shots and got full access. 2- Weak password can be set like any weak numbers like ''123456789'' as password Which is not the good password policy So due to Both Vulnerability Attacker can Brute force the login detail and Plus point is Weak password policy Attacker can Hack Any account easily due to both Vulnerabilities.
- There is No Lockout Mechanism ( rate limit ).
- Weak Password Policy
- 2020-11-16
| ItemTemplate | |
|---|---|
| Summary | Make it harder to crack user account |
| ReportedBy |
TWiki:Main.PeterThoeny
|
| Codebase | ~twiki4, 6.1.0 |
| SVN Range | TWiki-6.1.0-trunk, Thu, 05 Nov 2020, build 30858 |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | Confirmed |
| WaitingFor | |
| Checkins | |
| TargetRelease | patch |
| ReleasedIn | 6.1.1 |
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 png |
twiki_1.png | r1 | manage | 109.7 K | 2020-11-16 - 04:07 | PeterThoeny | |
| png |
twiki_2.png | r1 | manage | 170.5 K | 2020-11-16 - 04:07 | PeterThoeny | |
| png |
twiki_3.png | r1 | manage | 154.7 K | 2020-11-16 - 04:07 | PeterThoeny | |
| png |
twiki_4.png | r1 | manage | 153.2 K | 2020-11-16 - 04:07 | PeterThoeny |
Edit | Attach | Raw edit | More topic actionsTopic revision: r1 - 2020-11-16 - PeterThoeny
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback