[H-15] checkAndLockout never called for non-existent usernames

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/AuthController.php:68-73

Bug: Lockout only triggers when user row exists; unknown-username attempts accumulate in login_attempts but never produce a lockout.

Fix: Call checkAndLockout($username, $ip, null) in the !$user branch too.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:38pm

Resolved.

Added $this->checkAndLockout($username, $ip, null) to the !$user branch in AuthController::handleLogin (src/Controllers/AuthController.php). An attacker cycling unknown usernames now drives the IP-based exponential backoff just like attempts against real accounts.

Locking this thread.

Related Discussions

[M-27] checkAndLockout window equals lockout duration (infinite burst possible)
Security Issues · 0 replies · 0 views
[L-7] toggleSubscription creates orphan rows for non-existent forums/threads
Security Issues · 0 replies · 0 views
[H-6] verifyChain() never validates first row's HMAC or link to pre-$sinceId history
Security Issues · 0 replies · 0 views
Name the first BBS you ever called
BBS History · 0 replies · 1 views
The build you thought you would never finish
Completed Projects · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy