Minor Information Disclosure Vulnerability - Versions earlier than 1.16

 A minor Information Disclosure Vulnerability exists in PHPCredlocker versions earlier that 1.16.


Reported as PHPCRED-35.

Versions of PHPCredlocker prior to version 1.16 contain a minor Information Disclosure Vulnerability whereby a list of valid usernames could be calculated.

Functionality is included within PHPCredlocker to reject requests from a client IP if it has made a number of unsuccessful login attempts (the threshold for the ban is set by the administrator) within a configured period (the default being 24 hours).

However, the implementation of this functionality only applied if the username provided was valid. Therefore an attacker could attempt to bruteforce the system with a succession of usernames (each used a number of times). If a ban was received then the most recently used username was known to be valid. Once the ban expires (or from a different IP) the attacker could then focus on attempting to brute-force the account's password, or calculating other usernames.



Low: Although the system should not disclose them, usernames are not considered to be secret.



The first stable version to include the fix was version 1.16. The fix was implemented as commit fb54ab4