Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0
    • Fix Version/s: Long Term
    • Component/s: None
    • Labels:
      None

      Description

      Currently the system only logs login attempts with a valid username. Instead, the system should log all login attempts whether the username exists or not.

      The system currently limits login attempts to 10 per hour per IP, however this only applies to existing usernames. Attempts to log in with usernames that do not exist are not bound by this restriction, thus an attacker could potentially gain information about which username is valid by receiving the appropriate (blocked) error message after attempting a username 10 times.

      To correct the issue, the log_users table should be updated to record the username of the user attempted, and set user_id to '0' to indicate not match on user ID. Then Users::login() must be updated to log the attempt if validation values with the appropriate data. Next, Users::validateLoginAttempts must be updated to leftJoin from log_users with users as opposed to inner join.

        Issue Links

          Activity

          cody Cody Phillips (Inactive) created issue -
          cody Cody Phillips (Inactive) made changes -
          Field Original Value New Value
          Link This issue blocks CORE-977 [ CORE-977 ]
          Hide
          cody Cody Phillips (Inactive) added a comment -

          This must work for any username, as CORE-977 will pass those along to the event handler and we need to be able to prevent DOS for nonmatching usernames.

          There should be an update log entry to update when a login request can be linked to a user ID.

          Show
          cody Cody Phillips (Inactive) added a comment - This must work for any username, as CORE-977 will pass those along to the event handler and we need to be able to prevent DOS for nonmatching usernames. There should be an update log entry to update when a login request can be linked to a user ID.
          Hide
          admin Paul Phillips added a comment -

          Not sure if there is a separate task, but valid username login attempts appear to be logged as successful even though they were unsuccessful. In the logs, it then appears as if hackers were able to login as administrators for example.

          Show
          admin Paul Phillips added a comment - Not sure if there is a separate task, but valid username login attempts appear to be logged as successful even though they were unsuccessful. In the logs, it then appears as if hackers were able to login as administrators for example.
          admin Paul Phillips made changes -
          Security Private [ 10000 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.2.0-b2 [ 10501 ]
          Fix Version/s 3.2.0-b1 [ 10002 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.2.0-b3 [ 10503 ]
          Fix Version/s 3.2.0-b2 [ 10501 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.2.0 [ 10502 ]
          Fix Version/s 3.2.0-b3 [ 10503 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.3.0 [ 10100 ]
          Fix Version/s 3.2.0 [ 10502 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.3.0-b2 [ 10507 ]
          Fix Version/s 3.3.0-b1 [ 10100 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.4.0 [ 10400 ]
          Fix Version/s 3.3.0-b2 [ 10507 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.5.0 [ 10401 ]
          Fix Version/s 3.4.0-b1 [ 10400 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.5.0-b2 [ 10701 ]
          Fix Version/s 3.5.0-b1 [ 10401 ]
          admin Paul Phillips made changes -
          Fix Version/s 3.5.0-b2 [ 10701 ]
          Hide
          tyson Tyson Phillips (Inactive) added a comment -

          This task may no longer be necessary with the intended use of Monolog in the future.

          Show
          tyson Tyson Phillips (Inactive) added a comment - This task may no longer be necessary with the intended use of Monolog in the future.
          admin Paul Phillips made changes -
          Assignee Cody Phillips [ cody ]
          admin Paul Phillips made changes -
          Fix Version/s Long Term [ 10801 ]
          tyson Tyson Phillips (Inactive) made changes -
          Story Points 3

            People

            • Assignee:
              Unassigned
              Reporter:
              cody Cody Phillips (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: