Closed Bug 802709 Opened 12 years ago Closed 12 years ago

wiki.mozilla.org Password policy [brute force]

Categories

(Websites :: wiki.mozilla.org, defect)

Product:
Websites
Component:
wiki.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: curtisk, Unassigned)

Details

(Keywords: sec-low, wsec-authentication)

Attachments

(2 files)

Screen shot 1
97.77 KB, image/jpeg
Details
Screen shot 2
96.56 KB, image/jpeg
Details 
I have found that the https://wiki.mozilla.org login page Url https://wiki.mozilla.org/index.php?title=Special:UserLogin&returnto=Main%20Page is vulnerable to bruteforce attacks as there is no account lockout policy or captcha implementation as when attacker submits the wrong password in the password input field it prompts that we were unable to log you in and when the attacker submits the right password in the password input field while doing advance bruteforcing then there is no error message displayed as the attacker gets logged and redirected to the https://wiki.mozilla.org/User:Ajaysinghnegi page. That means that the attacker can successfully does the bruteforce attack(or password enumeration) as there is no captcha Implement or account lockput policy and this attack can be done manually or by creating a scripting in ruby or python languages.


Thanks & Regards!

Ajay Singh Negi.
wiki.mozilla.org is just MediaWiki, so any type of password lockout policy would need to be implemented upstream. Also, wikimo has nothing secret or confidential on it, so even if somebody did get into an account, any disruption would be minimal and easily revertible. As such, going to mark this WONTFIX for now.

Thanks for the report!
Group: websites-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: