jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Deparvu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OAK-7506) Prevent user enumeration by exploiting time delay vulnerability
Date Wed, 23 May 2018 10:11:00 GMT

     [ https://issues.apache.org/jira/browse/OAK-7506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alex Deparvu updated OAK-7506:
------------------------------
    Fix Version/s: 1.10

> Prevent user enumeration by exploiting time delay vulnerability
> ---------------------------------------------------------------
>
>                 Key: OAK-7506
>                 URL: https://issues.apache.org/jira/browse/OAK-7506
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: security
>            Reporter: Alex Deparvu
>            Assignee: Alex Deparvu
>            Priority: Minor
>             Fix For: 1.10
>
>
> Pasting here the improvement request: "If the server response is different for existing
and not existing usernames, the attacker is able to enumerate valid usernames with guessing
attacks. He is thereby able to focus his password guessing attacks to the existing accounts."
> The fix for this particular issue seems trivial, at the cost of making the login operation
slower in the case the user doesn't actually exist.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message