ScriptAndTools eCommerce-Website-in-PHP Excessive Authentication Attempts Vulnerability

A vulnerability allowing improper restriction of excessive authentication attempts has been identified in ScriptAndTools eCommerce-website-in-PHP version 3.0. The issue resides in the login.php file, where an unknown function fails to limit the number of login attempts, potentially leading to unauthorized data access, account takeover, privilege escalation, and denial-of-service conditions. This vulnerability can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts, allowing attackers to modify account details, orders, and related information. Such actions could lead to account takeover, privilege escalation, and potential reputational damage for affected organizations.

Reproduction

To reproduce this vulnerability, access the login.php file and attempt to log in with a valid email address and multiple incorrect passwords. The application does not limit the number of failed login attempts, allowing for brute-force attacks. Alternatively, the published tool available on GitHub can be used to automate this process.

Remediation

It is recommended to implement measures that limit login attempts, such as introducing captcha verification or other rate-limiting strategies.