`#Monstra <= 3.0.1 Admin Bruteforce Limit Bypass
admin/index.php
:33-42
// Admin login
if (Request::post('login_submit')) {
if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {
$login_error = __('You are banned for 10 minutes. Try again
later', 'users');
} else {
$user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}
The code blocks bruteforce attempts simply by placing a cookie called "login_attempts" in the victims browser an attacker can craft a bruteforce script that either clears cookies or does not send cookies at all.
`