Possible to execute denial-of-service attack using account-lockout trigger?

Discussion in 'Forum Suggestions' started by cbj4074, Feb 23, 2016.

  1. cbj4074

    cbj4074 Member

    I notice that account lockout status is not reset when a password is reset. This allows an attacker to execute a denial-of-service attack against anyone whose username or email address he knows. Given that usernames are public information on this forum, all the attacker has to do is choose a username from https://www.howtoforge.com/community/members/ and purposely fail several logins in that user's name, and the user will be unable to access his account until the timeout period expires. Needless to say, this can be done in an automated capacity, if the attacker wishes to be particularly annoying.

    Am I assessing the situation correctly? Or is there some non-obvious mechanism to prevent this type of abuse?

    Thanks for any insight!
     
    Last edited: Feb 23, 2016
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I haven't developed the Xenforo Forum software, so I can't say for sure which exact mechanism they use. But Xenforo is a widely used software on large forums, so there are probably no frequent problems with that.
     
  3. cbj4074

    cbj4074 Member

    Thanks for taking a look, Till. Shall I test it? I'll fail login with your account several times and we'll see if you're still able to login. Presumably, any throttling is IP-specific, so this shouldn't lock you out, in theory...
     
  4. cbj4074

    cbj4074 Member

    Okay, I just tried to lock you out by failing 5 times. Are you still able to log out and back in? And if not, are you able to reset your password?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Login works fine for me and also my active session was not interrupted and I can reset my password.
     
  6. cbj4074

    cbj4074 Member

    Awesome! Then it sounds like a non-issue. Thanks for testing, Till!
     

Share This Page