Currently, passwords can be brute-forced by a remote attacker by trying to log in with guessed passwords until success.
This can easily be prevented by introducing a (configurable) limit to the failed login attempts. After that, the user cannot log in anymore and a phpshell-admin must unlock the user (e.g. by editing a value the config.php-file)
This would be my idea of implementing:
- introduce new value in config.php [settings]-sectinf: max-login-attemps. Here the admin can specify the number of failed login-attemps after which the user is locked.
- A number is recorded and kept for each user that states the current amount of failed logins
- if this number is equal or larger than max-login-attemps the user cannot log in at all
- this number is increased by one after each failed login-attempt for this user
- this numer is set to zero after a successful login
- after a successful or failed login, the number of failed login-attempts will be shown to the user
This would new feature would greatly increase security of the script