PHPCRED-35: IDV: User's IP is only banned when using valid usernames

Issue Type: Bug

Priority: Major

Status: Closed

Reported By:

Ben Tasker

Assigned To:

Ben Tasker

Project: PHPCredlocker (PHPCRED)

Resolution: Fixed (2014-08-07 01:11:39)

Affects Version: 1.15,

Target version: 1.25,

Components: Authentication ,

Labels: Security,

Created: 2014-08-07 00:52:50

Time Spent Working

Include Subtasks

Description

Given sufficient time and patience, an attacker could identify valid usernames by repeatedly trying to authenticate and seeing which usernames lead to his IP being banned.

The system currently only logs a failed attempt (and eventually blocks the IP) if the username is valid

Toggle State Changes

Activity

Ben Tasker
Permalink
2014-08-07 01:11:30

Fixed by commit fb54ab4

Unassigned
Permalink
2014-08-07 01:11:39

btasker changed status from 'Open' to 'Resolved'

Unassigned
Permalink
2014-08-07 01:11:39

btasker added 'Fixed' to resolution

Unassigned
Permalink
2014-08-07 01:11:45

btasker changed status from 'Resolved' to 'Closed'

PHPCRED-35: IDV: User's IP is only banned when using valid usernames

Issue Information

Activity