########################################################################################## PHPCRED-35: IDV: User's IP is only banned when using valid usernames ########################################################################################## Issue Type: Bug ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Fixed (2014-08-07 01:11:39) Project: PHPCredlocker (PHPCRED) Reported By: btasker Assigned To: btasker Components: - Authentication Affected Versions: - 1.15 Targeted for fix in version: - 1.25 Labels: Security, Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Given sufficient time and patience, an attacker could identify valid usernames by repeatedly trying to authenticate and seeing which usernames lead to his IP being banned. The system currently only logs a failed attempt (and eventually blocks the IP) if the username is valid ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2014-08-07 01:11:30 btasker ----------------------------------------------------------------------------------------- Fixed by commit fb54ab4 ----------------------------------------------------------------------------------------- 2014-08-07 01:11:39 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'Resolved' ----------------------------------------------------------------------------------------- 2014-08-07 01:11:39 ----------------------------------------------------------------------------------------- btasker added 'Fixed' to resolution ----------------------------------------------------------------------------------------- 2014-08-07 01:11:45 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed'