Alex Deparvu created OAK-7506:
---------------------------------
Summary: Prevent user enumeration by exploiting time delay
vulnerability
Key: OAK-7506
URL: https://issues.apache.org/jira/browse/OAK-7506
Project: Jackrabbit Oak
Issue Type: Improvement
Components: security
Reporter: Alex Deparvu
Assignee: Alex Deparvu
Pasting here the improvement request: "If the server response is different for
existing and not existing usernames, the attacker is able to enumerate valid
usernames with guessing attacks. He is thereby able to focus his password
guessing attacks to the existing accounts."
The fix for this particular issue seems trivial, at the cost of making the
login operation slower in the case the user doesn't actually exist.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
