Login Form security is checked after the pw is verified #4623
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
worksforme
The issue cannot be reproduced and things work as intended.
I am in the process of configuring my piwik installation to work with Cloudflare so I have set a client-ip configuration. Currently this is missing something so that the form security check of the login form fails.
I once accidentally used the wrong user when checking the login and that gave an error user or password incorrect and not form security failed, which means that the user/pw check comes first and then the security check for the form, which is not good since this will enable attackers to do brute force attempts even though they cannot get through the security check of the form. It would be better to first do the general form check and then the user/pw check to disclose less information.
The text was updated successfully, but these errors were encountered: