JhumanJ OpnForm Brute-Force Protection Bypass Vulnerability
Vulnerability
A vulnerability exists in JhumanJ OpnForm versions through 1.9.3, specifically within an unknown function of the HTTP Header Handler component. The issue arises from improper handling of the X-Forwarded-For header, allowing for excessive authentication attempts. This vulnerability can be exploited remotely and has been classified as having a high complexity, making it difficult to execute. However, a public exploit is available.
Impact
Exploitation of this vulnerability bypasses brute-force protection mechanisms, allowing for increased authentication attempts without detection.
Reproduction
To reproduce this vulnerability, send a request to the login endpoint with an X-Forwarded-For header that spoofed the IP address. This will bypass the application's brute-force protection, allowing for multiple login attempts without triggering a lockout.
Remediation
Users are advised to update to JhumanJ OpnForm version 1.9.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.