Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-991

Pass and User Check before OTP Check make possible brute force...

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Trivial
    • Resolution: Invalid
    • None
    • None
    • guacamole-auth-totp
    • None

    Description

      Hi,

       

      Guacamole with otp module work like a charm...

      but the user and password are checked before redirect to the otp page...

      this make possible user/pass brut force, because the attacker can know if the user + password is valid....

      ok they need the token to achive the complete connection... but they know the password...

       

      why not redirect systematicly to the otp form, and check user + pass after otp form post (do the token validation only if user/pass are ok) ? or to use 3 fields form ?

      in that way the attaker canot know if the password is ok or if the token is bad...

      Attachments

        Activity

          People

            Unassigned Unassigned
            info-apache@ch2o.info Mathieu CARBONNEAUX
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: