MISP/app/Model/Bruteforce.php

<?php
App::uses('AppModel', 'Model');
App::uses('Sanitize', 'Utility');

/**
 * Bruteforce Model
 *
 */
class Bruteforce extends AppModel {

	public function insert($ip, $username) {
		$expire = Configure::read('SecureAuth.expire');
		// sanitize fields
		$ip = Sanitize::clean($ip);
		$username = Sanitize::clean($username);
		$this->query("INSERT INTO `bruteforces` (`ip` , `username` , `expire` ) VALUES ('$ip', '$username', TIMESTAMPADD(SECOND,$expire, NOW()));");
	}

	public function clean() {
		$this->query("DELETE FROM `bruteforces` WHERE `expire`<=NOW();");
	}

	public function isBlacklisted($ip,$username) {
		// first remove old expired rows
		$this->clean();
		// count
		$params = array('conditions' => array(
						'Bruteforce.ip' => $ip,
						'Bruteforce.username' => $username),);
		$count = $this->find('count', $params);
		if ($count >= Configure::read('SecureAuth.amount')) return true;
		else return false;
	}
}
implementation of a anti-brute-force password guessing mechanism. 2012-06-06 11:00:02 +02:00			`<?php`
			`App::uses('AppModel', 'Model');`
fixed huge SQL injection vulnerability created in bruteforce protection. Shame on me !!! 2012-06-06 11:12:19 +02:00			`App::uses('Sanitize', 'Utility');`

implementation of a anti-brute-force password guessing mechanism. 2012-06-06 11:00:02 +02:00			`/**`
			`* Bruteforce Model`
			`*`
			`*/`
			`class Bruteforce extends AppModel {`

CakePHP Coding Standards http://book.cakephp.org/2.0/en/contributing/cakephp-coding-conventions.html Eclipse: Window->Preferences General->Editors->Text Editors Displayed tab width: 4 Insert spaces for tabs NOT PHP->Code Style->Formatter Tab policy: Tabs File->Convert Line Delimeters To->Unix [default] http://mark-story.com/posts/view/static-analysis-tools-for-php for instance: phpcs --standard=CakePHP app/Model/ Not yet done is all camel caps format. 2012-09-18 15:30:32 +02:00			`public function insert($ip, $username) {`
			`$expire = Configure::read('SecureAuth.expire');`
			`// sanitize fields`
			`$ip = Sanitize::clean($ip);`
			`$username = Sanitize::clean($username);`
			$this->query("INSERT INTO `bruteforces` (`ip` , `username` , `expire` ) VALUES ('$ip', '$username', TIMESTAMPADD(SECOND,$expire, NOW()));");
			`}`
implementation of a anti-brute-force password guessing mechanism. 2012-06-06 11:00:02 +02:00
CakePHP Coding Standards http://book.cakephp.org/2.0/en/contributing/cakephp-coding-conventions.html Eclipse: Window->Preferences General->Editors->Text Editors Displayed tab width: 4 Insert spaces for tabs NOT PHP->Code Style->Formatter Tab policy: Tabs File->Convert Line Delimeters To->Unix [default] http://mark-story.com/posts/view/static-analysis-tools-for-php for instance: phpcs --standard=CakePHP app/Model/ Not yet done is all camel caps format. 2012-09-18 15:30:32 +02:00			`public function clean() {`
			$this->query("DELETE FROM `bruteforces` WHERE `expire`<=NOW();");
			`}`
implementation of a anti-brute-force password guessing mechanism. 2012-06-06 11:00:02 +02:00
CakePHP Coding Standards http://book.cakephp.org/2.0/en/contributing/cakephp-coding-conventions.html Eclipse: Window->Preferences General->Editors->Text Editors Displayed tab width: 4 Insert spaces for tabs NOT PHP->Code Style->Formatter Tab policy: Tabs File->Convert Line Delimeters To->Unix [default] http://mark-story.com/posts/view/static-analysis-tools-for-php for instance: phpcs --standard=CakePHP app/Model/ Not yet done is all camel caps format. 2012-09-18 15:30:32 +02:00			`public function isBlacklisted($ip,$username) {`
			`// first remove old expired rows`
			`$this->clean();`
			`// count`
			`$params = array('conditions' => array(`
			`'Bruteforce.ip' => $ip,`
			`'Bruteforce.username' => $username),);`
			`$count = $this->find('count', $params);`
			`if ($count >= Configure::read('SecureAuth.amount')) return true;`
			`else return false;`
			`}`
implementation of a anti-brute-force password guessing mechanism. 2012-06-06 11:00:02 +02:00			`}`