[bug #5313] "blocked, too many attempts" and sitemgr

=================== BUG #5313: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=5313&group_id=509

Changes by: Chris Weiss <chris@xxxxxxxxxxxxxxx>
Date: Thu 10/30/2003 at 20:35 (America/Chicago)

            What     | Removed                   | Added
---------------------------------------------------------------------------
         Assigned to | None                      | skwashd


------------------ Additional Follow-up Comments ----------------------------
assing this to skwashd cause it's a security issue and looks to be forgotten.  
I don't know who it should go to otherwise.



=================== BUG #5313: FULL BUG SNAPSHOT ===================


Submitted by: None                    Project: phpGroupWare                 
Submitted on: Mon 09/15/2003 at 10:56
Category:  sitemgr                    Bug Group:  0.9.16RC1                 
Severity:  5 - Major                  Priority:  High                       
Resolution:  None                     Assigned to:  skwashd                 
Status:  Open                         Component Version:  None              
Platform Version:  None               Reproducibility:  Every Time          

Summary:  "blocked, too many attempts" and sitemgr

Original Submission:  came across this on the phpgw site itself.  If someone 
attampts to login to phpgw as teh user that sitemrg is using too many times 
with the wrong password it manages to efficively lock out the site forever on a 
busy site.  Nice little DoS bug.  added a hard coded "hack" to prevent the user 
from ever being blocked to get site up again.



would the proper fix be to change login_blocked() to look only for "bad login 
or password" records when checking for # login attempts?  This would still 
cause the user to be blocked, and the site to be down, for 30 minutes, or 
whatever the Admin sets as the "blocked time".  Or even a change to the session 
class to say "sitemgr calling, don't block me"?



Follow-up Comments
*******************

-------------------------------------------------------
Date: Thu 10/30/2003 at 20:35       By: cw
assing this to skwashd cause it's a security issue and looks to be forgotten.  
I don't know who it should go to otherwise.

-------------------------------------------------------
Date: Mon 09/15/2003 at 11:29       By: pooh_
Just as a reminder:



This bug is in the same 'area' of interest: bug #5311

-------------------------------------------------------
Date: Mon 09/15/2003 at 10:58       By: cw
woops, forgot to login before submiting.. I sent in this one.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=5313&group_id=509

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/