Server vulnerability in get_login
Tryton server is vulnerable to malicious DoS / DDoS by exploiting the
get_login method.
Exploit:
Script provided can cause a DoS / DDoS
Discussion:
The current Tryton server stores unsuccessful login attempts in
a database table.
Currently, the function implements a timeout method for failed
login attempts, but only for those existing in the failed
logins table.
If the attacker uses non-existing, random account ids, the
failed timeout won't affect them.
Solution:
Implement the attached patch, that does not store the failed logins in a
database table (res_user_login_attempt)
It also implements a fixed timeout of 3 seconds for any invalid
login attempt, and removes the existing timeout of order 2^n .
There will be a configuration parameter (failed_login_timeout)
that defines the timeout in seconds. The default will be 3
seconds.
Files
Download | Creator | Timestamp | Type |
---|---|---|---|
tryton_login_exploit.py | @meanmicio | 2016-03-08 14:37:33 UTC | text/plain |
tryton_user_login.patch | @meanmicio | 2016-03-08 14:38:31.293000 UTC | text/plain |
tryton_login_exploit_metrics.pdf | @meanmicio | 2016-03-08 16:47:18.843000 UTC | application/pdf |