[jboss-jira] [JBoss JIRA] Updated: (JBAS-2243) UsernamePassword/DatabaseServerLoginModule reveal to much information

[Dimitris Andreadis (JIRA)]

     [ http://jira.jboss.com/jira/browse/JBAS-2243?page=all ]

Dimitris Andreadis updated JBAS-2243:
-------------------------------------

    Fix Version/s:     (was: JBossAS-4.0.5.GA)

> UsernamePassword/DatabaseServerLoginModule reveal to much information
> ---------------------------------------------------------------------
>
>                 Key: JBAS-2243
>                 URL: http://jira.jboss.com/jira/browse/JBAS-2243
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions:  JBossAS-4.0.3RC2
>         Environment: 4.0.3RC2/EJB3
>            Reporter: Jens Elkner
>
> If an authentication fails, the thrown javax.security.auth.login.FailedLoginException has a detailed message, which says "Password Incorrect/Password Required" or "No matching username found in Principals". These are pretty good information for an attacker, since than it knows, where to continue its attack and is able to skip a lot of tasks (no matter, whether it comes from the internal or external network - in our days, attacks from internal is probably the most common case). 
> Actually, that's also the reason, why many authentication systems just insert even a delay to not let the attacker guess, whether the guessed username was wrong or the guessed password (minimal, but measurable delay dueto en/decryption) ...
> So, logging those details might be ok, but revealing those infos to the client is without any doubt a security issue!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira