Rate limit password-less login attempts from the same IP address (thanks to hyp3rlinx)
This commit is contained in:
parent
f3938c1a66
commit
0e5df34ea8
|
@ -48,14 +48,18 @@ function add_invalid_login() {
|
|||
fclose($fp);
|
||||
}
|
||||
|
||||
$auth = $_POST["auth"];
|
||||
if ($auth) {
|
||||
function check_invalid_login() {
|
||||
global $adminer;
|
||||
$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
|
||||
$invalid = $invalids[$adminer->bruteForceKey()];
|
||||
$next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
|
||||
if ($next_attempt > 0) { //! do the same with permanent login
|
||||
auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));
|
||||
}
|
||||
}
|
||||
|
||||
$auth = $_POST["auth"];
|
||||
if ($auth) {
|
||||
session_regenerate_id(); // defense against session fixation
|
||||
$vendor = $auth["driver"];
|
||||
$server = $auth["server"];
|
||||
|
@ -161,6 +165,7 @@ if (isset($_GET["username"])) {
|
|||
page_footer("auth");
|
||||
exit;
|
||||
}
|
||||
check_invalid_login();
|
||||
$connection = connect();
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
Adminer 4.4.0-dev:
|
||||
Add Content Security Policy
|
||||
Disallow scripts without nonce
|
||||
Rate limit password-less login attempts from the same IP address
|
||||
Add nosniff header
|
||||
PHP 7.1: Prevent warning when using empty limit
|
||||
MySQL: Remove dedicated view for replication status (added in 4.3.0)
|
||||
|
|
Loading…
Reference in a new issue