Page MenuHomePhorge

Chwala does not log failed login attempts, if the user name exists
Closed, ResolvedPublic

Description

Hello again,

Chwala does not log failed login attempts to /var/log/chwala/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.

Reproducing is easy: Open the Chwala interface with a browser, enter an existing user name, but wrong password. Have a look into /var/log/chwala/userlogins.

That opens the door to brute force attacks when the user name is known.

Version: chwala-0.4-2.2.el7.kolab_16.noarch

Details

Ticket Type
Task

Event Timeline

ravenpride renamed this task from Chwala does not failed login attempts, if the user name exists to Chwala does not log failed login attempts, if the user name exists.Oct 19 2016, 5:33 PM
ravenpride created this task.
machniak subscribed.

I'm afraid Chwala does not log successful logins either. Failed logins log comes from kolab_auth plugin.

machniak claimed this task.

Fixed.