iRony does not log failed login attempts, if user name exists
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	ravenpride
	Oct 19 2016, 5:25 PM

Description

Hello,

iRony does not log failed login attempts to /var/log/iRony/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.

Reproducing is easy: Open the DAV interface with a browser, enter an existing user name, but wrong password. Have a look into /var/log/iRony/userlogins.

That opens the door to brute force attacks when the user name is known.

Version: iRony-0.4-1.19.el7.kolab_16.noarch

Details

Ticket Type: Task

Related Objects

Mentioned In: rIde89b6ca76f9: Fix logging failed login attempts if the username exists (T1739)
Mentioned Here: T1751: Syncroton does not log failed login attempts, if the user name exists

Event Timeline

ravenpride created this task.Oct 19 2016, 5:25 PM

The same as in syncroton (T1751) it is caused by authentication cache.

machniak mentioned this in rIde89b6ca76f9: Fix logging failed login attempts if the username exists (T1739).Jun 7 2017, 11:41 AM

Fixed.

iRony does not log failed login attempts, if user name existsClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

iRony does not log failed login attempts, if user name exists
Closed, ResolvedPublic
Actions