PHPCRED-35: IDV: User's IP is only banned when using valid usernames

Issue Information

Issue Type: Bug
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Fixed (2014-08-07 01:11:39)
Affects Version: 1.15,
Target version: 1.25,
Components: Authentication ,
Labels: Security,

Created: 2014-08-07 00:52:50
Time Spent Working

Given sufficient time and patience, an attacker could identify valid usernames by repeatedly trying to authenticate and seeing which usernames lead to his IP being banned.

The system currently only logs a failed attempt (and eventually blocks the IP) if the username is valid

Toggle State Changes


Fixed by commit fb54ab4
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'