Message 24643

Author
meanmicio
Date
2016-03-08.15:37:32
Message id
24643

Content

Tryton server is vulnerable to malicious DoS / DDoS by exploiting the
get_login method.


Exploit:
	Script provided can cause a DoS / DDoS 

Discussion:
	The current Tryton server stores unsuccessful login attempts in
	a database table. 

	Currently, the function implements a timeout method for failed
	login attempts, but only for those existing in the failed
	logins table.
	If the attacker uses non-existing, random account ids, the
	failed timeout won't affect them.
	

Solution:
	Implement the attached patch, that does not store the failed logins in a
	database table (res_user_login_attempt)
	It also implements a fixed timeout of 3 seconds for any invalid
	login attempt, and removes the existing timeout of order 2^n .
	There will be a configuration parameter (failed_login_timeout)
	that defines the timeout in seconds. The default will be 3
	seconds.

Files

File name Uploaded Type Details
tryton_login_exploit.py meanmicio, 2016-03-08.15:37:33 text/plain view
History
Date User Action Args
2016-03-08 15:37:35meanmiciosetrecipients: + ced, bch, yangoon, nicoe, sharkcz, ajacoutot
2016-03-08 15:37:34meanmiciosetmessageid: <1457447854.73.0.705602745329.issue5375@tryton.org>
2016-03-08 15:37:34meanmiciolinkissue5375 messages
2016-03-08 15:37:33meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)