We're updating the issue view to help you get more done.Learn more

COM_CHANGE_USER allows fast password brute-forcing

If one tries to connect with an incorrect password, the connection is aborted, one has to connect again to try a new password. But if one tries an incorrect password with the COM_CHANGE_USER command, he is not disconnected, which allows to brute-force passwords faster. Additionally, all COM_CHANGE_USER issued in a connection use the same scramble value.

We can fix it by allowing only three (or any other small fixed number?) of failed COM_CHANGE_USER in a connection.

It probably shouldn't be "three fails in a row", because one would be able to alternate between two known accounts and continue trying other password.

Additionally we might add a one second (or any other short fixed time duration) delay after a failed connection or a COM_CHANGE_USER attempt.

Status

Assignee

Sergei Golubchik

Reporter

Sergei Golubchik

Fix versions

Affects versions

5.5.28a
5.3.11
5.2.13
5.1.66

Priority

Major