"Logout" via empty password
GoogleCodeExporter opened this issue · 2 comments
GoogleCodeExporter commented
Like the site "SecurityConsiderations" states: "[...]With mod_authn_otp, the
"logout" happens exactly when the maximum linger time is reached.[...]".
If you're using a computer that is shared by others they can reuse the possibly
sniffed PIN and OTP as long as the linger time has not passed. If you're
checking your mails via a public computer and leave there is a window of
opportunity ([linger time] - [usage time]).
The attached patch changes the behavior of the basic authentication to logout
the user if an empty password is received. It simply clears the last_otp value
and return AUTH_DENIED.
This way, before you leave the shared computer, you can close the browser and
reopen it. Then revisit your website and simply login with your username and no
password. The lost_otp value is cleared a even with a keylogger the next user
can't login.
To make a denial of service attack (sending an empty password all the time and
kicking out the valid user) harder, the empty login request must be submitted
from the ip address that was recorded for the last successful use of the
password.
Original issue reported on code.google.com by phone.o.mat on 18 Nov 2013 at 6:25
Attachments:
GoogleCodeExporter commented
There are two attachments. One contains the logout patch alone. The other one
combines it with the fallthrough patch because the order matters.
Original comment by phone.o.mat on 18 Nov 2013 at 6:26
GoogleCodeExporter commented
Neat idea, thanks. Added in r133.
Original comment by archie.c...@gmail.com on 18 Nov 2013 at 7:38
- Changed state: Fixed
- Added labels: Type-Enhancement
- Removed labels: Type-Defect