Issue #391 has been updated by Joe Campbell. File ltb-patch.tar added
Attaching a patch file that contains the following: - A fix for this brute force attack - A few English syntactics fixes for the interface - A few CSS changes to the interface - the addition of an administrative email on passwd changes - Externalization of the ldap specific config to a sep. configuration file I would have done these all separately (independent patches) but I failed to be involved in this project to start out with, just downloaded and used it to fill a need in my org. I am sure it will take a while to incorporate all the stuff in this patch - but PLEASE ask questions if you have them. Thanks. ---------------------------------------- Bug #391: Email based password reset allows brute force attack using wildcard * http://tools.lsc-project.org/issues/391 Author: Joe Campbell Status: New Priority: High Assigned to: Category: Self Service Password Target version: self-service-password-? The email based password reset allows an individual to test for user names to attack by using '*' wildcards. i.e. you can enter jc* in the username and it will return an error to you that indicates if it found a user name that matches by starting with the letters j and c. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
