Mathieu CARBONNEAUX created GUACAMOLE-991:
---------------------------------------------
Summary: Pass and User Check before OTP Check make possible brute
force...
Key: GUACAMOLE-991
URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
Project: Guacamole
Issue Type: Improvement
Components: guacamole-auth-totp
Reporter: Mathieu CARBONNEAUX
Hi,
Guacamole with otp module work like a charm...
but the user and password are checked before redirect to the otp page...
this make possible user/pass brut force, because the attacker can know if the
user + password is valid....
ok they need the token to achive the complete connection... but they know the
password...
why not redirect systematicly to the otp form, and check user + pass after otp
form post (do the token validation only if user/pass are ok) ? or to use 3
fields form ?
in that way the attaker canot know is the password is ok or if the token is
bad...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
