We're updating the issue view to help you get more done. 

COM_CHANGE_USER allows fast password brute-forcing

Description

If one tries to connect with an incorrect password, the connection is aborted, one has to connect again to try a new password. But if one tries an incorrect password with the COM_CHANGE_USER command, he is not disconnected, which allows to brute-force passwords faster. Additionally, all COM_CHANGE_USER issued in a connection use the same scramble value.

We can fix it by allowing only three (or any other small fixed number?) of failed COM_CHANGE_USER in a connection.

It probably shouldn't be "three fails in a row", because one would be able to alternate between two known accounts and continue trying other password.

Additionally we might add a one second (or any other short fixed time duration) delay after a failed connection or a COM_CHANGE_USER attempt.

Environment

None

Status

Assignee

Sergei Golubchik

Reporter

Sergei Golubchik

Labels

None

External issue ID

None

External issue ID

None

Fix versions

Affects versions

5.2.13
5.5.28a
5.1.66
5.3.11

Priority

Major