Issues
- Admin Console Login allows Brute Force LoginJM-1014Resolved issue: JM-1014Daniel Henninger
- Http-binding deadlockJM-1001Resolved issue: JM-1001Alex Wenckus
- Fix parsing of packets with nested elements with the same nameJM-981Resolved issue: JM-981Gaston Dombiak
- Close connection from client that tries to send a never ending packetJM-980Resolved issue: JM-980Gaston Dombiak
- Fix NPE when auditing message received from legacy networkJM-979Resolved issue: JM-979Gaston Dombiak
- Update MINA library to latest versionJM-978Resolved issue: JM-978Gaston Dombiak
- Update bouncycastle library to latest versionJM-977Resolved issue: JM-977Gaston Dombiak
- A couple of times a day people can't login and the service won't stop without ending the task.JM-976Resolved issue: JM-976Gaston Dombiak
- Client connection may be closed before flushing end of stream stanzaJM-975Resolved issue: JM-975Gaston Dombiak
- Update MUC implementation to send role="none" when leaving a roomJM-974Resolved issue: JM-974Gaston Dombiak
- HTTP-binding would be held open and not closed when new packets arrivedJM-973Resolved issue: JM-973Alex Wenckus
- Fix presence problem when shared groups can be seen by a common non-shared group and both users belong to such groupJM-972Resolved issue: JM-972Gaston Dombiak
- Messages could be lost when using HTTP BindingJM-971Resolved issue: JM-971Alex Wenckus
- Fix deadlock when using old SSL methodJM-970Resolved issue: JM-970Gaston Dombiak
- HTTP-Binding Sessions Not Closed ProperlyJM-969Resolved issue: JM-969Alex Wenckus
- The https port is not working in the admin consoleJM-968Resolved issue: JM-968Gaston Dombiak
- Plugins that require a newer server version are shown as available to be installedJM-967Resolved issue: JM-967Gaston Dombiak
- Disable multi-cast DNS by defaultJM-966Resolved issue: JM-966MattM
- A throwable exception may prevent users from logging inJM-963Resolved issue: JM-963Gaston Dombiak
- PLAIN SASL authentication fails to authenticate clients that are sending bare JIDsJM-962Resolved issue: JM-962Gaston Dombiak
- When upgrading, I am requested to overwrite every file (.sql, .png, .gif, etc).JM-960Resolved issue: JM-960Gaston Dombiak
- HTTP-Binding Fails Over HTTPSJM-959Resolved issue: JM-959Alex Wenckus
- Widlfire Installation tool appends 3.2 to installation path when browsingJM-958Resolved issue: JM-958Gaston Dombiak
23 of 23
Admin Console Login allows Brute Force Login
Fixed
Description
Environment
Every Plataform
Details
Assignee
Daniel HenningerDaniel HenningerReporter
Thiago Rocha CamargoThiago Rocha CamargoOriginal estimate
Time tracking
No time logged1d remainingComponents
Fix versions
Priority
Major
Details
Details
Assignee
Daniel Henninger
Daniel Henninger
Reporter
Thiago Rocha Camargo
Thiago Rocha Camargo
Original estimate
Time tracking
No time logged1d remaining
Components
Fix versions
Priority
MajorCreated March 26, 2007 at 10:20 PM
Updated August 26, 2008 at 3:50 AM
Resolved August 26, 2008 at 3:50 AM
Activity
Show:
LGApril 22, 2007 at 12:51 AM
Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.
Thiago Rocha CamargoApril 21, 2007 at 12:00 AM
An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.
Johannes GrimmApril 20, 2007 at 9:31 PM
perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)
Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.
Limit login attempts per IP in a time period.
Limit login attempts in a time period.
Test Cases ( Optional )