PHPCRED-35: IDV: User's IP is only banned when using valid usernames



Issue Information

Issue Type: Bug
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Fixed (2014-08-07 01:11:39)
Affects Version: 1.15,
Target version: 1.25,
Components: Authentication ,
Labels: Security,

Created: 2014-08-07 00:52:50
Time Spent Working


Description
Given sufficient time and patience, an attacker could identify valid usernames by repeatedly trying to authenticate and seeing which usernames lead to his IP being banned.

The system currently only logs a failed attempt (and eventually blocks the IP) if the username is valid


Toggle State Changes

Activity


Fixed by commit fb54ab4
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'