| Title | LogicalDOC Community 9.2.1 Improper Restriction of Excessive Authentication Attempts |
|---|
| Description | Summary
The admin login page of LogicalDOC v9.2.1 is susceptible to unauthenticated credential brute-force. An attacker can automate password guessing against the /login.jsp endpoint and determine valid credentials by differences in HTTP response (status code and response length), allowing full takeover of the admin account.
Steps to Reproduce
1. Navigate to http://lg.htb:8080/login.jsp
2. Capture a valid login request with Burp Suite
3. Send the captured request to Intruder
4. Set the body/form parameters such that the username is fixed and the password is a payload position, e.g.: j_username=admin&j_password=§admin§
5. Load a password list (used example: the 500 worst passwords list: https://gist.github.com/djaiss/4033452) into Intruder
Incorrect Password attempt returns Status Code: 302 and Response Length: 675
Correct Password attempt returns Status Code: 200 and Response Length: 796)
6. The correct password is identified and admin access is gained — confirming admin account takeover via password brute forcing
Impact
*) Full admin account takeover possible via automated credential guessing.
*) Unauthorized access to sensitive documents and configuration.
*) Ability to modify or delete data and create privileged accounts.
*) Potential lateral movement and persistence after compromise.
*) Regulatory, compliance, and reputational exposure.
Recommendation
*) Implement account lockout or progressive rate-limiting after failed attempts.
*) Enforce multi-factor authentication (MFA) for all admin accounts.
*) Normalize authentication responses (same status/body for success and failure).
*) Introduce CAPTCHA or adaptive challenges after suspicious activity.
*) Block or throttle suspicious IPs and use WAF rules to detect automation. |
|---|
| Source | ⚠️ https://gist.github.com/thezeekhan/869aeb01bd981667c35dcac3e72c2bfa |
|---|
| User | Zeeshan Khan (UID 91384) |
|---|
| Submission | 10/16/2025 19:00 (8 months ago) |
|---|
| Moderation | 10/31/2025 14:10 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 330807 [LogicalDOC Community Edition up to 9.2.1 Admin Login Page /login.jsp excessive authentication] |
|---|
| Points | 20 |
|---|