Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login Form security is checked after the pw is verified #4623

Closed
alexlehm opened this issue Feb 4, 2014 · 2 comments
Closed

Login Form security is checked after the pw is verified #4623

alexlehm opened this issue Feb 4, 2014 · 2 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. worksforme The issue cannot be reproduced and things work as intended.

Comments

@alexlehm
Copy link

alexlehm commented Feb 4, 2014

I am in the process of configuring my piwik installation to work with Cloudflare so I have set a client-ip configuration. Currently this is missing something so that the form security check of the login form fails.
I once accidentally used the wrong user when checking the login and that gave an error user or password incorrect and not form security failed, which means that the user/pw check comes first and then the security check for the form, which is not good since this will enable attackers to do brute force attempts even though they cannot get through the security check of the form. It would be better to first do the general form check and then the user/pw check to disclose less information.

@mattab
Copy link
Member

mattab commented Feb 5, 2014

If I disable cookies (making the form submission fail) then I always see the security check message. Even when typing proper username i get the security check message. If it's really a bug, please explain exactly how to reproduce.

@alexlehm
Copy link
Author

alexlehm commented Feb 5, 2014

Turns out the conditions when this happens are more complicated than I thought.

When deleting the session cookie, the form security fails when either an existing or non-existing username is used.
When changing the last char of the session cookie value with e.g. cookie manager+, form security fails for existing users with either correct or incorrect password, but the login displays the user/password wrong message for nonexistent users.
However when I choose a completely wrong session-id like all 0s, form security always fails.

I didn't look at the source, but it seems that the sequence in which the conditions are checked is not completely right.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Development

No branches or pull requests

2 participants