[M-7] Confirmation-code brute-force in password/email change

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 2 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AccountController.php:244-260, 403, 448

Bug: 6-digit code with no attempt counter; session-level attacker can enumerate.

Fix: Attempt counter with lockout.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:48pm

Resolved.

Attempt counters added to all three session-backed code verification flows in src/Controllers/AccountController.php:

  • confirmPasswordChange — tracks $_SESSION['pending_password_change']['attempts']
  • confirmEmailChange$_SESSION['pending_email_change']['current_attempts']
  • finalizeEmailChange$_SESSION['pending_email_change']['new_attempts']

Each flow allows 5 wrong codes; on the 6th attempt the pending state is wiped and the user is redirected to settings. An active-session attacker can no longer enumerate all 1,000,000 6-digit codes within the 15-minute window.

Locking this thread.

Related Discussions

[C-1] AdminUserController::update can't change roles — User::update throws
Security Issues · 0 replies · 0 views
Admin: File Exchange Management
Admin Features · 0 replies · 0 views
Feature: File Exchange (Browsing & Downloading)
Feature Spotlights · 0 replies · 1 views
First thing you would change about retro hardware given godlike powers
Community Polls · 0 replies · 0 views
Technical book that changed how you work
The Reading Room · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy