t oo created RANGER-2362:
----------------------------
Summary: [security] Admin webui - Lack of account lockout
Key: RANGER-2362
URL: https://issues.apache.org/jira/browse/RANGER-2362
Project: Ranger
Issue Type: Bug
Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo
|Account lockout is a mechanism used to stop non-valid users from guessing for
the right password. It is also a protection against brute force attacks wherein
an automated system can use common/dictionary passwords or even build passwords
based on set of characters just to try to guess the valid one.|
|The application does not implement an account lockout mechanism, leaving it
susceptible to brute force attacks. These login pages were susceptible to this
condition.|
|It is possible for an attacker to use dictionary or brute force attacks and
set it to attempt sending the requests on a particular amount of time to bypass
the validation. Once a username has been correctly guessed, the attacker may
then be able to gain access to the application. Since it is vulnerable to Form
Auto Complete Active vulnerability (LINK) which makes the email addresses
easier to guess, it will make brute force attack to more likely possible.
|Enforce account lockout conditions to prevent intrusions and improve password
requirements and complexities to avoid the chances of brute force and
dictionary attacks from working.|
|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
