Rate limit password-less login attempts from the same IP address (thanks to hyp3rlinx)

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index 59cc85263638d8e49ac4a7bc9f647cc69bfe9b7f..7921bc5e2571de65107ac5b81ac3dd9198542118 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -48,14 +48,18 @@ function add_invalid_login() {
        fclose($fp);
 }
 
-$auth = $_POST["auth"];
-if ($auth) {
+function check_invalid_login() {
+       global $adminer;
        $invalids = unserialize(@file_get_contents(get_temp_dir() . "/adminer.invalid")); // @ - may not exist
        $invalid = $invalids[$adminer->bruteForceKey()];
        $next_attempt = ($invalid[1] > 30 ? $invalid[0] - time() : 0); // allow 30 invalid attempts
        if ($next_attempt > 0) { //! do the same with permanent login
                auth_error(lang('Too many unsuccessful logins, try again in %d minute(s).', ceil($next_attempt / 60)));
        }
+}
+
+$auth = $_POST["auth"];
+if ($auth) {
        session_regenerate_id(); // defense against session fixation
        $vendor = $auth["driver"];
        $server = $auth["server"];
@@ -161,6 +165,7 @@ if (isset($_GET["username"])) {
                page_footer("auth");
                exit;
        }
+       check_invalid_login();
        $connection = connect();
 }
 

diff --git a/changes.txt b/changes.txt
index 6bdd60ad923e7de256c4fb095b7a0aaa9fac5774..a2964d55747c9574aa3a57f606bffcfa453de517 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,6 +1,7 @@
 Adminer 4.4.0-dev:
 Add Content Security Policy
 Disallow scripts without nonce
+Rate limit password-less login attempts from the same IP address
 Add nosniff header
 PHP 7.1: Prevent warning when using empty limit
 MySQL: Remove dedicated view for replication status (added in 4.3.0)