Forum :: WebCP :: Anti-Brute Force shit fix for WebCP

Since there isn't yet an official fix, you can use this quick garbage to correction in your webcp common.php file around line 375. You will also need to add a new table in your server database named "webcp" with the columns "userip, account, lastlogin, attempts". This allows 10 failed login attempts per 5 minutes, but you can change it or pretty it up with custom values in the config.php or whatever. This should reduce a machine code cracking to several months up to a year on any dictionary word password.

$userip=$_SERVER['REMOTE_ADDR'];
   if (!empty($_SERVER['HTTP_CLIENT_IP']))
   {
        $userip = $_SERVER['HTTP_CLIENT_IP'];
   }
   elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
   {
       $userip = $_SERVER['HTTP_X_FORWARDED_FOR'];
   }
$now = time();
$lastlogin = 0;
$count = 0;
$tpl->statusstr = $statusstr;
$loginretry = true;
if (isset($_REQUEST['action']))
{
 switch ($_REQUEST['action'])
 {
  case 'logout':
   unset($sess->username);

  case 'login':
   if (isset($_POST['username'], $_POST['password']))
   {
    $password = hash('sha256',$salt.strtolower($_POST['username']).substr($_POST['password'],0,12));
    $checklogin = $db->SQL("SELECT username FROM accounts WHERE username = '$' AND password = '$'", strtolower($_POST['username']), $password);
    $currentlogin = $db->SQL("SELECT userip, account, lastlogin, attempts FROM webcp WHERE userip = '$' AND account = '$'", $userip, strtolower($_POST['username']));

    $lastlogin = $currentlogin[0]['lastlogin'];
    $count = $currentlogin[0]['attempts'];
    if (($count > 9) and (($lastlogin + 300) > $now))
    {
     $loginretry = false;
    }
    if (empty($currentlogin))
    {
     $db->SQL("INSERT INTO webcp (userip, account, lastlogin, attempts) VALUES ('$', '$', #, #)", $userip, strtolower($_POST['username']), $now, 1);
    }
    if ((empty($checklogin)) or (!$loginretry))
    { 
     $newcount = $count + 1;
     if ($loginretry)
     {
      $tpl->message = "Login failed.";
     }
     if (!$loginretry)
     {
      $tpl->message = "Login failed: Retry limit exceeded. Please try again later.";
     }
     $db->SQL("UPDATE webcp SET lastlogin = #, attempts = # WHERE userip = '$' AND account = '$'", $now, $newcount, $userip, strtolower($_POST['username']));
     break;
    }
    else
    {
     $db->SQL("UPDATE webcp SET lastlogin = #, attempts = # WHERE userip = '$' AND account = '$'", $now, 0, $userip, strtolower($_POST['username']));
     $sess->username = $checklogin[0]['username'];
     $tpl->message = "Logged in.";
    }
   }
   break;
 }
}

Also there should be fix to account req packet.....

---
Remember when is not an organization nor a fucking group , it's simply an idea that we believe in
and live for.
The priority of Remember when should come before oxygen , as oxygen is cosmetic even life itself is
cosmetic,that's why offer our worthless lives to The "Remember when"

I thought that was clamped via config in the official source, EE handles it slightly differently than EOSERV in that respect.

Jesus christ use a pastebin or code tags or something.

BTW this can be bypassed by spoofing a Client-IP or X-Forwarded-For header. You'll have to configure your webserver to drop the headers or take that out.

Apollo posted: (6th Apr 2016, 12:23 am)

I thought that was clamped via config in the official source, EE handles it slightly differently than EOSERV in that respect.

I was not speaking about the login packet or the account creation one.
I was speaking about the small packet that you includes only the id of the account you wanna create... i think clone doesn't have any limitation over that.

Edit :  sausage come on hes cleaning your shit.

---
Remember when is not an organization nor a fucking group , it's simply an idea that we believe in
and live for.
The priority of Remember when should come before oxygen , as oxygen is cosmetic even life itself is
cosmetic,that's why offer our worthless lives to The "Remember when"

If I devote my day to rate-limiting things will you shut up about "Oh my god I can't make accounts with the same name as other accounts so exploitable"? Even if it was rate limited 100x slower you could still get a list of dictionary account names in only a few months.

You never replied but here is the WebCP login rate limiting code being added: http://svn.eoserv.net/webcp?op=comp&compare[]=%2F@506&compare[]=%2F@513

It has been implemented on game.eoserv.net. Please leave my inbox in peace.

Nice

Heh. I like that IPv6 was thought of. Is anyone's WebCP even accessible via IPv6?

---
Wish upon a star!

Plasmastar posted: (6th Apr 2016, 02:40 pm)

Heh. I like that IPv6 was thought of. Is anyone's WebCP even accessible via IPv6?

game.eoserv.net is. Slightly annoying since EO itself doesn't support IPv6, so you can't match up players and web users.