Impact
This vulnerability affects users of the eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header.
Note that the protection that was in place before 4.1.0 was never intended to be unbreakable, and in fact must have caused more troubles to legitimate users rather than a potential attacker.
Patches
This issue has been addressed by implementing state of the art brute force login protection, as recommended by Owasp with Device Cookies.
This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. How it works quickly:
- a successful login will create a cookie on the device
- trying too many passwords from an untrusted device (no device cookies) will lock the account
- a locked account can only log in from a trusted device
- even a good password guess on a locked account will be unsuccessful
Workarounds
The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
References
This vulnerability was found and responsibly disclosed by @krastanoel.
See published paper: https://www.exploit-db.com/docs/50436
For more information
If you have any questions or comments about this advisory:
- Open an issue here
- Or create a discussion here
krastanoel Analyst
Impact
This vulnerability affects users of the eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header.
Note that the protection that was in place before 4.1.0 was never intended to be unbreakable, and in fact must have caused more troubles to legitimate users rather than a potential attacker.
Patches
This issue has been addressed by implementing state of the art brute force login protection, as recommended by Owasp with Device Cookies.
This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. How it works quickly:
Workarounds
The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
References
This vulnerability was found and responsibly disclosed by @krastanoel.
See published paper: https://www.exploit-db.com/docs/50436
For more information
If you have any questions or comments about this advisory: