Tasin1025 SwiftBuy Excessive Authentication Vulnerability in Login.php

A vulnerability allowing excessive authentication attempts has been identified in Tasin1025 SwiftBuy versions prior to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. The issue arises in the file login.php, where improper restrictions allow for unlimited failed login attempts. This vulnerability can be exploited remotely, and although it has been publicly disclosed along with an exploit, the exploitation appears to be complex and challenging.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts, allowing attackers to modify orders and personal information. Such actions could disrupt business operations and damage the company's reputation.

Reproduction

To reproduce this vulnerability, access the login.php file and attempt to log in with an email address and incorrect passwords. There are no restrictions on the number of failed attempts, allowing for brute-force attacks. This vulnerability can also be exploited using an automated tool available on GitHub.

Remediation

It is recommended to implement measures such as limiting login attempts and adding CAPTCHA verification to prevent automated exploitation.