You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Mathieu CARBONNEAUX (Jira)" <ji...@apache.org> on 2020/03/18 14:26:00 UTC

[jira] [Created] (GUACAMOLE-991) Pass and User Check before OTP Check make possible brute force...

Mathieu CARBONNEAUX created GUACAMOLE-991:
---------------------------------------------

             Summary: Pass and User Check before OTP Check make possible brute force...
                 Key: GUACAMOLE-991
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
             Project: Guacamole
          Issue Type: Improvement
          Components: guacamole-auth-totp
            Reporter: Mathieu CARBONNEAUX


Hi,

 

Guacamole with otp module work like a charm...

but the user and password are checked before redirect to the otp page...

this make possible user/pass brut force, because the attacker can know if the user + password is valid....

ok they need the token to achive the complete connection... but they know the password...

 

why not redirect systematicly to the otp form, and check user + pass after otp form post (do the token validation only if user/pass are ok) ? or to use 3 fields form ?

in that way the attaker canot know is the password is ok or if the token is bad...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)