You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mathieu CARBONNEAUX (Jira)" <ji...@apache.org> on 2020/03/18 14:26:00 UTC
[jira] [Created] (GUACAMOLE-991) Pass and User Check before OTP
Check make possible brute force...
Mathieu CARBONNEAUX created GUACAMOLE-991:
---------------------------------------------
Summary: Pass and User Check before OTP Check make possible brute force...
Key: GUACAMOLE-991
URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
Project: Guacamole
Issue Type: Improvement
Components: guacamole-auth-totp
Reporter: Mathieu CARBONNEAUX
Hi,
Guacamole with otp module work like a charm...
but the user and password are checked before redirect to the otp page...
this make possible user/pass brut force, because the attacker can know if the user + password is valid....
ok they need the token to achive the complete connection... but they know the password...
why not redirect systematicly to the otp form, and check user + pass after otp form post (do the token validation only if user/pass are ok) ? or to use 3 fields form ?
in that way the attaker canot know is the password is ok or if the token is bad...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)