iRony does not log failed login attempts, if user name exists
Closed, ResolvedPublic



iRony does not log failed login attempts to /var/log/iRony/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.

Reproducing is easy: Open the DAV interface with a browser, enter an existing user name, but wrong password. Have a look into /var/log/iRony/userlogins.

That opens the door to brute force attacks when the user name is known.

Version: iRony-0.4-1.19.el7.kolab_16.noarch


Ticket Type

Event Timeline

machniak added a subscriber: machniak.

The same as in syncroton (T1751) it is caused by authentication cache.

machniak closed this task as Resolved.Jun 7 2017, 11:41 AM
machniak claimed this task.