Page MenuHomePhorge
Create Task
Maniphest T1751

Syncroton does not log failed login attempts, if the user name exists
Closed, ResolvedPublic
Actions

Description

Hello again,

Syncroton does not log failed login attempts to /var/log/kolab-syncroton/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.

Reproducing is easy:

  1. Go to https://testconnectivity.microsoft.com/
  2. Select "Exchange ActiveSync", fill out the next page - but enter valid user name with a wrong password.
  3. No entry in the userlogins file is created.

That opens the door to brute force attacks when the user name is known.

Version: kolab-syncroton-2.3.3-1.11.el7.kolab_16.noarch

Details

Ticket Type
Task

Related Objects

Event Timeline

ravenpride created this task.Oct 19 2016, 5:56 PM
machniak added a project: Syncroton.Dec 28 2016, 6:45 PM
machniak subscribed.Dec 28 2016, 6:49 PM

It is because syncroton uses authentication cache. So, when the username is in the cache kolab_auth plugin (which logs userlogins errors) is bypassed. We need some additional code in kolab_sync::authenticate(), probably should depend on Roundcube's log_logins setting.

machniak mentioned this in T1739: iRony does not log failed login attempts, if user name exists.Dec 28 2016, 7:21 PM
machniak mentioned this in rS3601376aef5d: Fix logging failed login attempts if the username exists (T1751).Jun 7 2017, 11:35 AM
machniak closed this task as Resolved.Jun 7 2017, 11:35 AM
machniak claimed this task.

Fixed.