User edit form does not use flood control and allow for password brute force attacks

Created on 16 September 2014, over 10 years ago
Updated 2 April 2025, 4 days ago

If an attacker is able to get a user's session cookie, it's then easy perform a brute force attack on the user edit form to guess the password because there is no flood control. Given a known session cookie, this can be deployed to a botnet to perform brute force attacks and attempt to guess the user password.

This report was reviewed by the Drupal security team, and it was agreed it can be fixed in public: this vulnerability requires another vulnerability to exist in order to be exploited.

Credit: mohd haji.

This issue is currently postponed on #2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController β†’

πŸ“Œ Task
Status

Postponed

Version

11.0 πŸ”₯

Component

user system

Created by

πŸ‡¨πŸ‡¦Canada scor Toronto

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Removing outdated beta phase copy and making it clear in the issue summary which issue is making this postponed.

Production build 0.71.5 2024