2018-07-07, 08:34 AM
https://github.com/mybb/mybb/blob/featur....php#L6362
https://github.com/mybb/mybb/blob/b0873d....php#L1768
https://github.com/mybb/mybb/blob/2697b3.../login.php
Euan seems to think the feature exists, but IP rate-limits on login attempts seems to be missing.
I'm not sure if it ever existed or if it went missing somewhere along the line or if I'm just missing something important. The relevant lines and files are above.
If an IP brute forces one account, then the account itself will get locked out, but the IP could try to brute force every account simultaneously, while hoping that at-least one will have a weak password or one they expect. Someone could respond to the IP lockouts by changing their IP (e.g. with a proxy, etc.) but that would wind up being a lot of IP changes as the number of accounts increases.
https://github.com/mybb/mybb/blob/b0873d....php#L1768
https://github.com/mybb/mybb/blob/2697b3.../login.php
Euan seems to think the feature exists, but IP rate-limits on login attempts seems to be missing.
I'm not sure if it ever existed or if it went missing somewhere along the line or if I'm just missing something important. The relevant lines and files are above.
If an IP brute forces one account, then the account itself will get locked out, but the IP could try to brute force every account simultaneously, while hoping that at-least one will have a weak password or one they expect. Someone could respond to the IP lockouts by changing their IP (e.g. with a proxy, etc.) but that would wind up being a lot of IP changes as the number of accounts increases.