Rate limit password-less login attempts from the same IP address (thanks to hyp3rlinx)
This commit is contained in:
parent
f3938c1a66
commit
0e5df34ea8
|
@ -48,14 +48,18 @@ function add_invalid_login() {
|
||||||
fclose($fp);
|
fclose($fp);
|
||||||
}
|
}
|
||||||
|
|
||||||
$auth = $_POST["auth"];
|
function check_invalid_login() {
|
||||||
if ($auth) {
|
global $adminer;
|
||||||
$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
|
$invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
|
||||||
$invalid = $invalids[$adminer->bruteForceKey()];
|
$invalid = $invalids[$adminer->bruteForceKey()];
|
||||||
$next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
|
$next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
|
||||||
if ($next_attempt > 0) { //! do the same with permanent login
|
if ($next_attempt > 0) { //! do the same with permanent login
|
||||||
auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));
|
auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$auth = $_POST["auth"];
|
||||||
|
if ($auth) {
|
||||||
session_regenerate_id(); // defense against session fixation
|
session_regenerate_id(); // defense against session fixation
|
||||||
$vendor = $auth["driver"];
|
$vendor = $auth["driver"];
|
||||||
$server = $auth["server"];
|
$server = $auth["server"];
|
||||||
|
@ -161,6 +165,7 @@ if (isset($_GET["username"])) {
|
||||||
page_footer("auth");
|
page_footer("auth");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
check_invalid_login();
|
||||||
$connection = connect();
|
$connection = connect();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
Adminer 4.4.0-dev:
|
Adminer 4.4.0-dev:
|
||||||
Add Content Security Policy
|
Add Content Security Policy
|
||||||
Disallow scripts without nonce
|
Disallow scripts without nonce
|
||||||
|
Rate limit password-less login attempts from the same IP address
|
||||||
Add nosniff header
|
Add nosniff header
|
||||||
PHP 7.1: Prevent warning when using empty limit
|
PHP 7.1: Prevent warning when using empty limit
|
||||||
MySQL: Remove dedicated view for replication status (added in 4.3.0)
|
MySQL: Remove dedicated view for replication status (added in 4.3.0)
|
||||||
|
|
Loading…
Reference in a new issue