starred/shiori

Fork 0

mirror of https://github.com/go-shiori/shiori.git synced 2026-04-25 06:25:54 +03:00

[GH-ISSUE #1138] No restriction on password attempts allows for brute-force attacks #469

New issue

Open

opened 2026-02-25 23:34:17 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 23:34:17 +03:00

Owner

Originally created by @vityuasd on GitHub (Aug 28, 2025).
Original GitHub issue: https://github.com/go-shiori/shiori/issues/1138

Data

Shiori version: 1.7.4 and earlier
Database Engine: SQLite
Operating system:windows docker

Describe the bug / actual behavior

No restriction on password attempts allows for brute-force attacks.

Expected behavior

Brute-force until successful login.

To Reproduce

Navigate to the login page.
Capture the login POST request with Burp Suite.
Use the Intruder tool to perform the brute-force attack.

Screenshots

Originally created by @vityuasd on GitHub (Aug 28, 2025). Original GitHub issue: https://github.com/go-shiori/shiori/issues/1138 ## Data - **Shiori version**: 1.7.4 and earlier - **Database Engine**: SQLite - **Operating system**:windows docker ## Describe the bug / actual behavior No restriction on password attempts allows for brute-force attacks. ## Expected behavior Brute-force until successful login. ## To Reproduce 1. Navigate to the login page. 2. Capture the login POST request with Burp Suite. 3. Use the Intruder tool to perform the brute-force attack. ## Screenshots <img width="1704" height="268" alt="Image" src="https://github.com/user-attachments/assets/e43c7b8d-e15a-4164-8e8d-16f59f53ce34" />

kerem added the

type:bug

label

2026-02-25 23:34:17 +03:00

kerem commented

2026-02-25 23:34:18 +03:00

Author

Owner

@mirkoperillo commented on GitHub (Aug 29, 2025):

In my opinion there are other tools (like to fail2ban for example, or a reverse proxy) that can be used to monitor this misbehavior.

The codebase of shiori should implement only the features strictly related to its scope (bookmark management).

My 2 cents.

@mirkoperillo commented on GitHub (Aug 29, 2025): In my opinion there are other tools (like to fail2ban for example, or a reverse proxy) that can be used to monitor this misbehavior. The codebase of shiori should implement only the features strictly related to its scope (bookmark management). My 2 cents.

kerem commented

2026-02-25 23:34:18 +03:00

Author

Owner

@vityuasd commented on GitHub (Aug 29, 2025):

@mirkoperillo Really appreciate you sharing your thoughts.

I totally get that tools like failp2ban are super useful for tech-savvy users, but if we only depend on external solutions, we're kinda putting the security responsibility on everyday users — and let's be honest, most folks might not even know this is a risk or how to set things up properly.

That's why even basic protection, like limiting login attempts, should be a must for pretty much any web app, especially if it deals with user data.

I mean, just look at standards like CWE-307 (you know, the one called "Improper Restriction of Excessive Authentication Attempts"). It shows this isn't some rare edge case, but a real and widely recognized security requirement.

Thanks again for your reply!

@vityuasd commented on GitHub (Aug 29, 2025): @mirkoperillo Really appreciate you sharing your thoughts. I totally get that tools like failp2ban are super useful for tech-savvy users, but if we only depend on external solutions, we're kinda putting the security responsibility on everyday users — and let's be honest, most folks might not even know this is a risk or how to set things up properly. That's why even basic protection, like limiting login attempts, should be a must for pretty much any web app, especially if it deals with user data. I mean, just look at standards like CWE-307 (you know, the one called "Improper Restriction of Excessive Authentication Attempts"). It shows this isn't some rare edge case, but a real and widely recognized security requirement. Thanks again for your reply!

kerem commented

2026-02-25 23:34:18 +03:00

Author

Owner

@mirkoperillo commented on GitHub (Sep 23, 2025):

@vityuasd thank you for the resources you linked here, very interesting.

I have to say I'm not entirely convinced. In such a way it is the same thing of https: every service should be protected by https nowadays it is an hard requirement, but normally you obtain this using nginx, caddy or other reverse proxy to avoid to write and maintain this feature in your codebase.

However, I'm just a shiori user like you and the last word rests with the project maintainer.

@mirkoperillo commented on GitHub (Sep 23, 2025): @vityuasd thank you for the resources you linked here, very interesting. I have to say I'm not entirely convinced. In such a way it is the same thing of https: every service should be protected by https nowadays it is an hard requirement, but normally you obtain this using nginx, caddy or other reverse proxy to avoid to write and maintain this feature in your codebase. However, I'm just a shiori user like you and the last word rests with the project maintainer.

kerem referenced this issue

2026-02-25 23:34:52 +03:00

[PR #469] [MERGED] feat: upgrade to go 1.19 #606