MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > SECURITY ISSUE: Those that are using custom logins
Full Version: SECURITY ISSUE: Those that are using custom logins
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Cluber

2009-10-14, 02:10 PM
Is it me or is the number of attempts stored in a cookie alone?

If this is the case what is the point of it? For someone to brute force the forum couldn't they just clear cookie after each attempt?

Am I missing something? Doesn't it store the number of attempts in the database somewhere also?

EDIT: If you are using a custom login, it is not sufficient to rely on the inbuilt loginattempts security provided by the forum. You must add extra measures to prevent a possible brute force attack.

Thanks.

Matt

2009-10-14, 03:01 PM
It's stored in the loginattempts field in the users table so the user is locked out. In MyBB <= 1.4.3 is was in the sessions so it could be bypassed easier, now it's in the users table, the user itself is locked out, thus protecting it completely.

Cluber

2009-10-14, 03:05 PM
Deleting the cookie clears this...

The cookie in question is loginattempts.

Although it does says 5 attempts in my database, 'loginattempts' column.

When I get the login attempts error, I enter the wrong password once more, and the error shows. I then delete all site cookies in my browser. But now it lets me have another 5 attempts.

Matt

2009-10-14, 03:12 PM
Maybe I'm getting confused with something else... once you get it wrong though it goes to the CAPTCHA page, so it isn't just a case of clearing cookies, would be hard for a bot to try and crack the CAPTCHA after every 3 attempts.

Cluber

2009-10-14, 03:15 PM
(2009-10-14, 03:12 PM)MattRogowski Wrote: [ -> ]Maybe I'm getting confused with something else... once you get it wrong though it goes to the CAPTCHA page, so it isn't just a case of clearing cookies, would be hard for a bot to try and crack the CAPTCHA after every 3 attempts.

Yeah I just tried it on this forum. It enabled me to login after I cleared cookies and it did indeed go to the CAPTCHA page. However I have a custom login, which doesn't have this CAPTCHA feature.

I guess I should add it as that's vulnerable to brute forcing.

btraill

2009-10-14, 03:35 PM
Clearing your cookies shouldn't by-pass the login attempts, correct me if I am wrong.

Cluber

2009-10-14, 03:44 PM
You are wrong Toungue

Try it for yourself.
- Invalid password 5 times, (lockout message)
- Clear all sites cookies
- Attempt to login again, ( logged in )
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > SECURITY ISSUE: Those that are using custom logins