Issues
- Admin Console Login allows Brute Force LoginJM-1014Resolved issue: JM-1014Daniel Henninger
- UTF-8 is not always being used when reading/writing XML contentJM-883Resolved issue: JM-883Gaston Dombiak
- Fix NPE when closing connection manager sessionJM-881Resolved issue: JM-881Gaston Dombiak
- Logging into the admin console may not work after initial setup when using LDAPJM-880Resolved issue: JM-880Gaston Dombiak
- Streamlined build processJM-879Resolved issue: JM-879MattM
- Some settings are not being saved when configuring LDAP from the admin consoleJM-878Resolved issue: JM-878Gaston Dombiak
- Allow changing existing LDAP settings from admin consoleJM-877Resolved issue: JM-877Gaston Dombiak
- Allow to test group mapping settings during LDAP setupJM-876Resolved issue: JM-876Gaston Dombiak
- Allow to test user mapping settings during LDAP setupJM-875Resolved issue: JM-875Gaston Dombiak
- Improved Unix scriptJM-872Resolved issue: JM-872Daniel Henninger
- Update Java mail library to latest versionJM-871Resolved issue: JM-871Gaston Dombiak
- Allow to test administrator accounts during LDAP setupJM-870Resolved issue: JM-870Gaston Dombiak
- Convert from plain text to encrypted passwordsJM-869Resolved issue: JM-869Gaston Dombiak
- add favicon to admin consoleJM-868Resolved issue: JM-868Gaston Dombiak
- Socket connections are closed under high loadJM-867Resolved issue: JM-867Gaston Dombiak
- Increase max size of LDAP filters to 250 charactersJM-866Resolved issue: JM-866Gaston Dombiak
16 of 16
Admin Console Login allows Brute Force Login
Fixed
Description
Environment
Every Plataform
Details
Assignee
Daniel HenningerDaniel HenningerReporter
Thiago Rocha CamargoThiago Rocha CamargoOriginal estimate
Time tracking
No time logged1d remainingComponents
Fix versions
Priority
Major
Details
Details
Assignee
Daniel Henninger
Daniel Henninger
Reporter
Thiago Rocha Camargo
Thiago Rocha Camargo
Original estimate
Time tracking
No time logged1d remaining
Components
Fix versions
Priority
MajorCreated March 26, 2007 at 10:20 PM
Updated August 26, 2008 at 3:50 AM
Resolved August 26, 2008 at 3:50 AM
Activity
Show:
LGApril 22, 2007 at 12:51 AM
Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.
Thiago Rocha CamargoApril 21, 2007 at 12:00 AM
An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.
Johannes GrimmApril 20, 2007 at 9:31 PM
perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)
Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.
Limit login attempts per IP in a time period.
Limit login attempts in a time period.
Test Cases ( Optional )