[ZendTo] Re: Possible information disclosure vulnerability for locked-out users

Jules Jules at Zend.To
Sun Jan 2 22:07:29 GMT 2011 

Ooh, thanks for that. I will try to take a look at this tomorrow.

Jules.

On 16/12/2010 23:40, Brent Strignano wrote:
> Hello All,
>
> I'm not certain this isn't a problem with my configuration, but I have noticed that it is still possible to tell if you have brute-forced a username and password even though the account has been locked out by ZendTo.
> I am set up for AD authentication, and it works correctly when I enter a valid username and password.
>
> When I attempt to log in with a bad username and/or password the following errors are displayed:
>
> 	LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
> 	LDAP Error
> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
> 	Authentication Error
> The username or password was incorrect.
>
> However when I log in with a valid username and password that ZendTo has locked out for too many bad attempts only this is displayed:
>
> 	Authentication Error
> The username or password was incorrect.
>
> Furthermore the bottom status bar then shows:
>
> Version 3.63 | Copyright (c) 2010 | you are currently logged in as Test User
>
> It seems like the AD authentication is performed before the username is looked up in the bad attempts list, and the status bar shows it is a valid account. Even if it did not show that, the difference in the displayed error messages would easily indicate that a valid username and password were found. An attacker could the just wait a day to log in or use the combination to attack another forward facing system.
>
>
> Brent Strignano
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

More information about the ZendTo mailing list