brute force login brute force login
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

brute force login

Started by cpinetree, July 20, 2008, 11:43:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

cpinetree

using coppermine V1.4.18 it seems that after trying to login 3 times (what my setting is set for) that the only time the screen showing you are blocked from this site comes up, is after supplying the correct username + password.
In a nutshell you can continue to brute force the login screen until seeing the permission denied screen, you then know a correct user + password, wait until the block time has expired, and login normally.
Is there a way to show the denied screen after 3 failed login attempts, and ban until the time is up??

Nibbler

Please post a link to your gallery and an account to test with.

cpinetree

I sent an email to you with the info, as I prefer not to post it publicly.
thanks for your help.

cpinetree

Just wondering if there is any news on this?

can anyone else duplicate this on their installs?

I thought it might get moved to the bug board if other people have the same issue.

Joachim Müller

It certainly won't get moved to the bugs board, as yours is not a valid bug report. The fact that others have the same issue doesn't make it a bug, but just a lot of pilot errors that can come from many different sources (client apps interfering, users forgetting their passwords, fantastico installs acting up, invalid cookie names, broken cookies in the browser, the browser not being configured properly yadda yadda). With an app being so popular, it's understandable that there are some users asking for support on a lot of things. This doesn't mean that features are buggy, but just that this is a busy forum and Coppermine a popular app.
Do as Nibbler suggested: he didn't ask to be sent a message - he asked you to post publicly. Not doing as suggested usually results in getting ignored.

Nibbler


cpinetree

Thank's for looking into this nibbler.
I think the application is great, and I have added additional logging so I will know if someone is trying to brute force the login.

Joachim Müller, I was not Ignored as you suggest, nibbler had made some tests, I was trying to get input from others to see if it might be a problem with my browser, server, etc.
Your reply to this problem was both unnecessary and very condescending, as you gave no actual feedback about the problem, only possibilities that it may be due to my misconfiguration etc. I would welcome your feedback on how this works in your installation. I do not see an install on your web page or would have tried a few logins to see my results.

again,
   Thanks to all the developers and the helpful people in this community for a great program!

Joachim Müller

You proposed moving this thread to the bigs board and I told you that it won't get moved and also told you why. My testbed is none of your business, but I have more than one page that I maintain. If you want to perform tests, do so on the demo we provide.