[ZendTo] Possible information disclosure vulnerability for locked-out users

Brent Strignano brent at mirabito.com
Thu Dec 16 23:40:58 GMT 2010


Hello All,

I'm not certain this isn't a problem with my configuration, but I have noticed that it is still possible to tell if you have brute-forced a username and password even though the account has been locked out by ZendTo.
I am set up for AD authentication, and it works correctly when I enter a valid username and password.

When I attempt to log in with a bad username and/or password the following errors are displayed:

	LDAP Error
Check User: Unable to connect to any of the authentication servers; could not authenticate user.
	LDAP Error
Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
	Authentication Error
The username or password was incorrect.

However when I log in with a valid username and password that ZendTo has locked out for too many bad attempts only this is displayed:

	Authentication Error
The username or password was incorrect.

Furthermore the bottom status bar then shows:

Version 3.63 | Copyright (c) 2010 | you are currently logged in as Test User

It seems like the AD authentication is performed before the username is looked up in the bad attempts list, and the status bar shows it is a valid account. Even if it did not show that, the difference in the displayed error messages would easily indicate that a valid username and password were found. An attacker could the just wait a day to log in or use the combination to attack another forward facing system.


Brent Strignano



More information about the ZendTo mailing list