{"id":59353,"date":"2022-10-30T16:20:32","date_gmt":"2022-10-30T08:20:32","guid":{"rendered":"https:\/\/version-2.com\/?p=59353"},"modified":"2023-07-24T18:44:12","modified_gmt":"2023-07-24T10:44:12","slug":"bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/10\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\/","title":{"rendered":"Bypassing Account lockout on elabFTW &#8211; &#038; Brute-force login &#8211; CVE 2022-31007"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"59353\" class=\"elementor elementor-59353\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4da8c5f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4da8c5f9\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;decf9c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-133ba185\" data-id=\"133ba185\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc2da8d post-content elementor-widget elementor-widget-text-editor\" data-id=\"fc2da8d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\" width=\"1800\" height=\"1012\" \/>\n\n<div data-v-85c4bf60=\"\" data-v-0bbc59dc=\"\" class=\"news-detail-inner-content\"><p><strong>Introduction:<\/strong><\/p><p>eLabFTW is a free and open source electronic laboratory notebook for researchers.1 Once installed on a server, it allows researchers to track their experiments, but also to manage their assets in the lab (antibodies, mouse, siRNAs, proteins, etc.).<\/p><p><\/p><p><strong>Affected version:<\/strong><\/p><p>This vulnerability affects users of the eLabFTW before 4.1.0, it allows attackers to bypass a brute\u0002force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header.<\/p><p><\/p><p><strong>CVSS v3:<\/strong><\/p><ul><li><p>CvSS Score               6.5 <\/p><\/li><li><p>Confidentiality Impact   Partial <\/p><\/li><li><p>Integrity Impact         Partial <\/p><\/li><li><p>Access Complexity        Low <\/p><\/li><li><p>Vulnerability type       Gain Access <\/p><\/li><li><p>Authentication           Required <\/p><\/li><li><p>Availability Impact      Partial<\/p><\/li><\/ul><p><\/p><p><strong>Mitigation:<\/strong><\/p><ul><li><p>Create a readFailedLoginByIp function on app\/models\/Logs.php to execute a query where the user field is REMOTE_ADDR and the body is Failed login attempt. <\/p><\/li><li><p>Invoke readFailedLoginByIp function on login.php to validate if the count has reached the failed attempt limit and is banned. <\/p><\/li><li><p>Or can be se the method recommended by OWASP with Device Cookies.<\/p><\/li><\/ul><p><\/p><p>This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. How it works quickly<\/p><p><\/p><ul><li><p>Successful login will create a cookie on the device <\/p><\/li><li><p>Trying too many passwords from an untrusted device (no device cookies) will lock the account <\/p><\/li><li><p>A locked account can only log in from a trusted device <\/p><\/li><li><p>Even a good password guess on a locked account will be unsuccessful<\/p><\/li><\/ul><p><\/p><p><strong>Technical Analysis:<\/strong><\/p><p>This section will explain how the lockout process works by testing the login page while also reviewing the source code and then making an attack process.<\/p><p><\/p><p><strong>Lockout Process:<\/strong><\/p><p>Assuming the administrator email is already known as \u201cadministrator@elabw.local\u201d with a wrong password submitted in the login form will produce a failed login message. See Appendix A to enumerate valid email accounts.<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vbnobf0k7d0kmigoz8fnys.jpg\"><p><\/p><p>From the flash messages above, failing 3 times will result in being banned for 1 hour. Let\u2019s find out where in the source code these messages are triggered.<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vc1dm60khf0kmi3rfqhoe0.jpg\"><p><\/p><p>From the grep result above there are two files triggering the error messages: LoginController.php and login.html. Upon further inspection in LoginController.php file at line 74 there is an if-else validation for login failed attempt.<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vbrjlv0keo0kplcmkf1aj4.jpg\"><p><\/p><p>The code above will set failed_attempt key with value 1 in $Session variable if it\u2019s not exist or, increment the value if it does. Because PHP handles and tracks $Session variables using PHPSESSID in a Cookie request header, which is controlled by the user, the bypass is very obvious. Simply using random value in PHPSESSID or, completely removing the Cookie header on each request to login.php will force the application to create a new session and the <em>failed_attempt <\/em>key will always be set to 1. <\/p><p>When inspecting the login page a hidden input called formkey was found and it\u2019s required along with email and password as a data submitted to <strong>LoginController.php<\/strong>.<\/p><p><\/p><p><strong>Attack Process:<\/strong><\/p><p>This section will assemble what was found when identifying how the lockout process works. <\/p><p>1. Make a GET request to login.php <\/p><ul><li><p>Extract PHPSESSID from the response header <\/p><\/li><li><p>Extract formkey from the response body <\/p><p><\/p><\/li><\/ul><p>2. Make a POST request to LoginController.php with PHPSESSID and formkey from step 1 included and, use valid email address and wordlists for password on data field <\/p><p>3. Follow url redirections from step 2 response location header <\/p><ul><li><p>If url redirect location is login.php, automatically remove the Cookie header <\/p><\/li><li><p>If url redirect location is not login.php, the attack is succeed.<\/p><\/li><\/ul><p><\/p><p><strong>Exploitation:<\/strong><\/p><p>The exploit will use Burp Suite\u2019s Intruder3 tool to automate the attack process. First step is to extract PHPSESSID and formkey from the login.php assuming the request was already made from the browser through Burp Suite Proxy. Navigating to Proxy &gt; HTTP History, right-clicking on the GET request \/login.php and select Send to Intruder:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vc8gmk0kkp0kmi4y13cgvd.jpg\"><p><\/p><p>Now navigate to Intruder window and choose Positions tab and remove a Cookie header if it exists:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vc9mfv0kld0kmi1b2satt1.jpg\"><p><\/p><p>Next, choose the Options tab and scroll down to Grep Extract. Tick Extract the following items from responses and set Maximum capture length to 150:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcamkz0kly0kmi2bf9ajuh.jpg\"><p><\/p><p>Click Add button then Refetch response and notice Set-Cookie header is being set. SelectPHPSESSID value and click OK:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcbf1z0km90kmifxb808b2.jpg\"><p><\/p><p>Click Add button again and do the same for formkey value:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcbzvy0kqa0kplhak97a1m.jpg\"><p><\/p><p>Select Always option on Redirections:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcckv80kqh0kplegwpda6b.jpg\"><p><\/p><p>Navigate toHTTP History tab onProxy window then select POST <strong>\/app\/controllers\/LoginController.php<\/strong> and copy the raw request:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcdf320kna0kmi3qqk1d4g.jpg\"><p><\/p><p>Go back to Positions tab on Intruder window and paste copied raw request in the editor and then click Add \u00a7 button to set a mark on these fields: PHPSESSID,password,formkey and set Attack type to Pitchfork:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vce2vq0kni0kmi9kwp8f1i.jpg\"><p><\/p><p>Next, clicking the Payloads tab to set 3 payloads. Payload set 1 for PHPSESSID cookie value using \u201cRecursive Grep\u201d<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vceqjx0knr0kmihymf5wmk.jpg\"><p><\/p><p>Payload set 2 for password and set Payload type to \u201c<strong>Simple list<\/strong>\u201d then click Load to choose a small wordlist file from <strong>\/usr\/share\/wordlists\/wfuzz\/others\/common_pass.txt<\/strong>:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcg3560koh0kmiah769ijd.jpg\"><p><\/p><p>Payload set 3 for formkey using \u201c<strong>Recursive Grep<\/strong>\u201d:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcgxv30koy0kmi5grl7qjb.jpg\"><p><\/p><p>Using Mitmproxy command-line mitmdump as upstream proxy to automatically remove Cookie header when following a redirect location request to <strong>\/app\/controllers\/..\/..\/login.php.<\/strong><\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcpm5d0kw60kpl7zr5cyet.jpg\"><p><\/p><p>Navigate to Project options &gt; Connections &gt; Upstream Proxy Servers, toggle Override user options and click Add button. Specify the Destination host to target domain <strong>elabw.local<\/strong>, Proxy host to <strong>127.0.0.1<\/strong> and Proxy port: <strong>8081 <\/strong>and click OK:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vclcsz0kr00kmihpnrcl02.jpg\"><p><\/p><p>Go back to Intruder window and start the attack by clicking on Start attack button:<\/p><p><\/p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vcm6w90kuw0kplb0qugvoh.jpg\"><p><\/p><p>See image above the Payload1 values are always changing and these values are taken from PHPSESSID columns for the next request. Forcing the application to create a new session so the <em>failed_attempt <\/em>key will always be set to 1. The lockout process successfully bypassed. <\/p><p>Notice in the highlighted request, the Length size is bigger than others and in the Response 1 tab, the Location header is pointed at \u201c<strong>..\/..\/experiments.php<\/strong>\u201d meaning the attack is successful.<\/p><p><\/p><p><strong>Workarounds:<\/strong><\/p><p>The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.<\/p><p><\/p><p><strong>Reference<\/strong>:<\/p><ol><li><p><a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2022-31007\/\">https:\/\/www.cvedetails.com\/cve\/CVE-2022-31007\/<\/a> <\/p><\/li><\/ol><ol start=\"2\"><li><p><a target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https:\/\/github.com\/elabftw\/elabftw\/security\/advisories\/GHSA-937c-m7p3-775v\">https:\/\/github.com\/elabftw\/elabftw\/security\/advisories\/GHSA-937c-m7p3-775v<\/a><\/p><\/li><\/ol><p><\/p><p><\/p><p>#burp_suite #account_bypass #elabFTW #<strong>CVE-2022-31007<\/strong><\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085a61 post-content elementor-widget elementor-widget-shortcode\" data-id=\"8085a61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"39690\" class=\"elementor elementor-39690\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ff2a228 elementor-widget elementor-widget-text-editor\" data-id=\"ff2a228\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<p><b>About VRX<\/b><br><b>VRX&nbsp;<\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Introduction: eLabFTW is a free and open source electro [&hellip;]<\/p>\n","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[488,476,61],"tags":[477,489],"class_list":["post-59353","post","type-post","status-publish","format-standard","hentry","category-488","category-vrx","category-press-release","tag-vrx","tag-489"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Bypassing Account lockout on elabFTW - &amp; Brute-force login - CVE 2022-31007 - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bypassing Account lockout on elabFTW - &amp; Brute-force login - CVE 2022-31007 - Version 2\" \/>\n<meta property=\"og:description\" content=\"Introduction: eLabFTW is a free and open source electro [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-30T08:20:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-24T10:44:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/10\\\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"Bypassing Account lockout on elabFTW &#8211; &#038; Brute-force login &#8211; CVE 2022-31007\",\"datePublished\":\"2022-10-30T08:20:32+00:00\",\"dateModified\":\"2023-07-24T10:44:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/10\\\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\\\/\"},\"wordCount\":1016,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\",\"keywords\":[\"vRx\",\"2022\"],\"articleSection\":[\"2022\",\"vRx\",\"Press Release\"],\"inLanguage\":\"zh-HK\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/10\\\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007\",\"name\":\"Bypassing Account lockout on elabFTW - & Brute-force login - CVE 2022-31007 - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\",\"datePublished\":\"2022-10-30T08:20:32+00:00\",\"dateModified\":\"2023-07-24T10:44:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bypassing Account lockout on elabFTW &#8211; &#038; Brute-force login &#8211; CVE 2022-31007\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bypassing Account lockout on elabFTW - & Brute-force login - CVE 2022-31007 - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007","og_locale":"zh_HK","og_type":"article","og_title":"Bypassing Account lockout on elabFTW - & Brute-force login - CVE 2022-31007 - Version 2","og_description":"Introduction: eLabFTW is a free and open source electro [&hellip;]","og_url":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007","og_site_name":"Version 2","article_published_time":"2022-10-30T08:20:32+00:00","article_modified_time":"2023-07-24T10:44:12+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"version2hk","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"8 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#article","isPartOf":{"@id":"https:\/\/version-2.com\/2022\/10\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"Bypassing Account lockout on elabFTW &#8211; &#038; Brute-force login &#8211; CVE 2022-31007","datePublished":"2022-10-30T08:20:32+00:00","dateModified":"2023-07-24T10:44:12+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2022\/10\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\/"},"wordCount":1016,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max","keywords":["vRx","2022"],"articleSection":["2022","vRx","Press Release"],"inLanguage":"zh-HK"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2022\/10\/bypassing-account-lockout-on-elabftw-brute-force-login-cve-2022-31007\/","url":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007","name":"Bypassing Account lockout on elabFTW - & Brute-force login - CVE 2022-31007 - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max","datePublished":"2022-10-30T08:20:32+00:00","dateModified":"2023-07-24T10:44:12+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl9vblsnn0k9c0kpl6a753924.jpg?tr=w-1800,c-at_max"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/zh\/"},{"@type":"ListItem","position":2,"name":"Bypassing Account lockout on elabFTW &#8211; &#038; Brute-force login &#8211; CVE 2022-31007"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/zh\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-frj","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/59353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=59353"}],"version-history":[{"count":7,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/59353\/revisions"}],"predecessor-version":[{"id":69486,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/59353\/revisions\/69486"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=59353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=59353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=59353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}