search

archiecobbs / mod-authn-otp

Apache module for one-time password authentication
Apache License 2.0
63 stars 17 forks source link

"Logout" via empty password #24

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Like the site "SecurityConsiderations" states: "[...]With mod_authn_otp, the 
"logout" happens exactly when the maximum linger time is reached.[...]".

If you're using a computer that is shared by others they can reuse the possibly 
sniffed PIN and OTP as long as the linger time has not passed. If you're 
checking your mails via a public computer and leave there is a window of 
opportunity ([linger time] - [usage time]).

The attached patch changes the behavior of the basic authentication to logout 
the user if an empty password is received. It simply clears the last_otp value 
and return AUTH_DENIED.

This way, before you leave the shared computer, you can close the browser and 
reopen it. Then revisit your website and simply login with your username and no 
password. The lost_otp value is cleared a even with a keylogger the next user 
can't login.

To make a denial of service attack (sending an empty password all the time and 
kicking out the valid user) harder, the empty login request must be submitted 
from the ip address that was recorded for the last successful use of the 
password.

Original issue reported on code.google.com by phone.o.mat on 18 Nov 2013 at 6:25

Attachments:

GoogleCodeExporter commented 9 years ago 
There are two attachments. One contains the logout patch alone. The other one 
combines it with the fallthrough patch because the order matters.

Original comment by phone.o.mat on 18 Nov 2013 at 6:26

GoogleCodeExporter commented 9 years ago 
Neat idea, thanks. Added in r133.

Original comment by archie.c...@gmail.com on 18 Nov 2013 at 7:38