Bug #391
Email based password reset allows brute force attack using wildcard *
| Status: | New | Start: | 24/01/2012 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | Self Service Password | |||
| Target version: | self-service-password-? |
Description
The email based password reset allows an individual to test for user names to attack by using '*' wildcards. i.e. you can enter jc* in the username and it will return an error to you that indicates if it found a user name that matches by starting with the letters j and c.
History
Updated by Clément OUDOT 4 months ago
Well seen. We can maybe add an option to allow to return such messages, else we will never say if the account exists or not.
Updated by Joe Campbell 4 months ago
- File ltb-patch.tar added
Attaching a patch file that contains the following:
- A fix for this brute force attack
- A few English syntactics fixes for the interface
- A few CSS changes to the interface
- the addition of an administrative email on passwd changes
- Externalization of the ldap specific config to a sep. configuration file
I would have done these all separately (independent patches) but I failed to be involved in this project to start out with, just downloaded and used it to fill a need in my org. I am sure it will take a while to incorporate all the stuff in this patch - but PLEASE ask questions if you have them.
Thanks.