ScriptAndTools eCommerce No Limit Authentication Attempt Vulnerability

A vulnerability allowing improper restriction of excessive authentication attempts has been identified in ScriptAndTools eCommerce-website-in-PHP version 3.0. This issue resides in the admin/login.php file, where the application fails to limit login attempts, potentially leading to unauthorized access, account takeover, privilege escalation, denial-of-service, and reputational damage.

Impact

Exploitation of this vulnerability could allow attackers to bypass authentication limits, leading to unauthorized access to admin accounts. This could enable them to manipulate user accounts, orders, and verification information, causing significant disruption to the eCommerce platform.

Reproduction

To reproduce this vulnerability, access the admin/login.php file and attempt to log in with an email address and multiple incorrect passwords. The application does not impose any restrictions on the number of failed login attempts, allowing for brute-force attacks. Alternatively, a scripted tool can be used to automate the process of entering incorrect passwords.

Remediation

It is recommended to implement measures that limit login attempts and introduce captcha verification to prevent automated exploitation.