[ZendTo] Re: Possible information disclosure vulnerability for locked-out users

Jules Jules at Zend.To
Mon Jan 3 11:45:14 GMT 2011 

I now get rather better messages, and it wipes the data about the 
authorised user if the user is locked out.

Jules.

On 02/01/2011 22:07, Jules wrote:
> Ooh, thanks for that. I will try to take a look at this tomorrow.
>
> Jules.
>
> On 16/12/2010 23:40, Brent Strignano wrote:
>> Hello All,
>>
>> I'm not certain this isn't a problem with my configuration, but I 
>> have noticed that it is still possible to tell if you have 
>> brute-forced a username and password even though the account has been 
>> locked out by ZendTo.
>> I am set up for AD authentication, and it works correctly when I 
>> enter a valid username and password.
>>
>> When I attempt to log in with a bad username and/or password the 
>> following errors are displayed:
>>
>>     LDAP Error
>> Check User: Unable to connect to any of the authentication servers; 
>> could not authenticate user.
>>     LDAP Error
>> Check User: Unable to connect to any of the LDAP servers; could not 
>> authenticate user.
>>     Authentication Error
>> The username or password was incorrect.
>>
>> However when I log in with a valid username and password that ZendTo 
>> has locked out for too many bad attempts only this is displayed:
>>
>>     Authentication Error
>> The username or password was incorrect.
>>
>> Furthermore the bottom status bar then shows:
>>
>> Version 3.63 | Copyright (c) 2010 | you are currently logged in as 
>> Test User
>>
>> It seems like the AD authentication is performed before the username 
>> is looked up in the bad attempts list, and the status bar shows it is 
>> a valid account. Even if it did not show that, the difference in the 
>> displayed error messages would easily indicate that a valid username 
>> and password were found. An attacker could the just wait a day to log 
>> in or use the combination to attack another forward facing system.
>>
>>
>> Brent Strignano
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

More information about the ZendTo mailing list