Page MenuHomekolab.org

Syncroton does not log failed login attempts, if the user name exists
Closed, ResolvedPublic

Description

Hello again,

Syncroton does not log failed login attempts to /var/log/kolab-syncroton/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.

Reproducing is easy:

  1. Go to https://testconnectivity.microsoft.com/
  2. Select "Exchange ActiveSync", fill out the next page - but enter valid user name with a wrong password.
  3. No entry in the userlogins file is created.

That opens the door to brute force attacks when the user name is known.

Version: kolab-syncroton-2.3.3-1.11.el7.kolab_16.noarch

Details

Ticket Type
Task

Event Timeline

It is because syncroton uses authentication cache. So, when the username is in the cache kolab_auth plugin (which logs userlogins errors) is bypassed. We need some additional code in kolab_sync::authenticate(), probably should depend on Roundcube's log_logins setting.

machniak closed this task as Resolved.Jun 7 2017, 11:35 AM
machniak claimed this task.

Fixed.