2018-04-10, 05:56 PM
This is a serious problem.
That setting is there to prevent bruteforcing into accounts. In ACP under the Login settings there is parameters for protecting against malicious login attempts. In the mybb_users table a column exists for loginattempts.
For the past few years I have seen occasional bruteforce attempts into accounts and my logs show an error that the loginattempt column was full because I have my type as tinyint(2) which is max limit 127. So that number is reached and I get a mysql error logged. I figured MyBB just did a poor job of checking the limit wasn't reached before the login ran.
Looking into inc/functions.php I can see the login_attempt_check() function. In there you can see it uses the cookie instead of the column.
But this is the important part....the setting "maxloginattempts" is NOWHERE TO BE FOUND IN MyBB. This is a bruteforce prevention setting and it has no function for members. It is used in the ACP though. Yet for members it is not.
I'm not even sure how to consider this bug. Do you just remove the setting? Do you make it function properly inside login_attempt_check()? Or maybe just fix the query that gives the error.
I'm aware that if it does a check to the database first and uses the setting then locks out accounts you could potential bruteforce someone to prevent them from logging in. So there is that problem. But I do believe that is the intent of the setting we all assumed worked in that way. It does offer a disable "0" option in the description.
I do hope this bug gets labelled important and is addressed quickly.
I was stunned by this. I wonder if this setting ever had any code written in any version of MyBB? I been getting this error since 1.6x.
That setting is there to prevent bruteforcing into accounts. In ACP under the Login settings there is parameters for protecting against malicious login attempts. In the mybb_users table a column exists for loginattempts.
For the past few years I have seen occasional bruteforce attempts into accounts and my logs show an error that the loginattempt column was full because I have my type as tinyint(2) which is max limit 127. So that number is reached and I get a mysql error logged. I figured MyBB just did a poor job of checking the limit wasn't reached before the login ran.
Looking into inc/functions.php I can see the login_attempt_check() function. In there you can see it uses the cookie instead of the column.
But this is the important part....the setting "maxloginattempts" is NOWHERE TO BE FOUND IN MyBB. This is a bruteforce prevention setting and it has no function for members. It is used in the ACP though. Yet for members it is not.
I'm not even sure how to consider this bug. Do you just remove the setting? Do you make it function properly inside login_attempt_check()? Or maybe just fix the query that gives the error.
$update_array = array(
'loginattempts' => 1
);
$db->update_query("users", $update_array, "uid = '{$mybb->user['uid']}'");
I'm aware that if it does a check to the database first and uses the setting then locks out accounts you could potential bruteforce someone to prevent them from logging in. So there is that problem. But I do believe that is the intent of the setting we all assumed worked in that way. It does offer a disable "0" option in the description.
I do hope this bug gets labelled important and is addressed quickly.
I was stunned by this. I wonder if this setting ever had any code written in any version of MyBB? I been getting this error since 1.6x.