WBCE CMS Brute-Force Protection Bypass Vulnerability

A vulnerability exists in WBCE CMS version 1.6.4, allowing attackers to bypass brute-force protection on the login mechanism. The application fully trusts the 'X-Forwarded-For' header without validation, enabling attackers to reset the login attempt counter indefinitely. This flaw allows for unlimited password guessing attempts, effectively circumventing all brute-force defenses.

Impact

Exploitation of this vulnerability could lead to unlimited brute-force attempts on user accounts, potentially allowing for unauthorized access, including to administrator accounts.

Reproduction

To reproduce this vulnerability, log into WBCE CMS 1.6.4 and attempt to access the login page. Intercept the login requests and observe the 'X-Forwarded-For' header. After five failed login attempts, the IP address will be blocked. However, by modifying the 'X-Forwarded-For' header with a different IP address, the block can be bypassed, allowing for continued password guessing. This can be automated with a script that rotates the spoofed IPs after each set of attempts.

Remediation

Users can upgrade to WBCE CMS version 1.6.5, which addresses this vulnerability by implementing a captcha on the login process and delaying login responses to make brute-force attacks more difficult.