Improper Restriction of Excessive Authentication Attempts in login feature in janeczku/calibre-web
Jun 1st 2022
No rate limiting in login form leads to bruteforce attack
Steps to reproduce
2.Login with wrong credentials
3.Capture POST request with Burp Suite and Send to Intruder
4.Create 100 null payloads and start attack
5.Noticed that all request return 200 status code
@maintainer @admin any update ... ?
No update from our side. I expect we will hear from the maintainer shortly, as they are likely working on a fix and are typically very active on the platform.
If you have any ideas about how we can improve your experience on the platform, please feel free to create a feature request.
Hope so. I have seen that maintainer has acknowledged this report since a month ago, but doesn't have any update ...
I'm having a fix in the developer branch, but I need some more time for testing before releasing it