search

owncloud / brute_force_protection

Brute-force protection app for ownCloud
GNU General Public License v2.0
6 stars 5 forks source link

Password protected URL doesn't work after protection enabled #149

Closed twlun86 closed 3 years ago

twlun86 commented 3 years ago

it is very frustrating when user report all the previous password protected link doesn't work when accessing the content link in sub folder. However, the content in parent folder is fine. After deep investigation, found the root cause was due to brute force protection was enabled during version upgrade. The error is as below:

image

{"reqId":"YATzgilZMdQZxl1Yi0TU4gAAAAU","level":4,"time":"2021-01-18T10:33:38+08:00","remoteAddr":"10.4.32.81","user":"--","app":"webdav","method":"PROPFIND","url":"\/public.php\/webdav\/","message":"Exception: Too many failed attempts. Try again in 5 minutes.: {\"Exception\":\"OCA\\BruteForceProtection\\Exceptions\\LinkAuthException\",\"Message\":\"Too many failed attempts. Try again in 5 minutes.\",\"Code\":0,\"Trace\":\"#0 \\/var\\/www\\/owncloud\\/apps-external\\/brute_force_protection\\/lib\\/Hooks.php(159): OCA\\BruteForceProtection\\Throttle->applyBruteForcePolicyForLinkShare('l17rCXpS1xBGZOB', '10.4.32.81')\n#1 \\/var\\/www\\/owncloud\\/lib\\/composer\\/symfony\\/event-dispatcher\\/EventDispatcher.php(264): OCA\\BruteForceProtection\\Hooks->preLinkShareAuthCallback(Object(Symfony\\Component\\EventDispatcher\\GenericEvent), 'share.beforepas...', Object(Symfony\\Component\\EventDispatcher\\EventDispatcher))\n#2 \\/var\\/www\\/owncloud\\/lib\\/composer\\/symfony\\/event-dispatcher\\/EventDispatcher.php(239): Symfony\\Component\\EventDispatcher\\EventDispatcher->doDispatch(Array, 'share.beforepas...', Object(Symfony\\Component\\EventDispatcher\\GenericEvent))\n#3 \\/var\\/www\\/owncloud\\/lib\\/composer\\/symfony\\/event-dispatcher\\/EventDispatcher.php(73): Symfony\\Component\\EventDispatcher\\EventDispatcher->callListeners(Array, 'share.beforepas...', Object(Symfony\\Component\\EventDispatcher\\GenericEvent))\n#4 \\/var\\/www\\/owncloud\\/lib\\/private\\/Share20\\/Manager.php(1496): Symfony\\Component\\EventDispatcher\\EventDispatcher->dispatch(Object(Symfony\\Component\\EventDispatcher\\GenericEvent), Object(Symfony\\Component\\EventDispatcher\\GenericEvent))\n#5 \\/var\\/www\\/owncloud\\/apps\\/dav\\/lib\\/Connector\\/PublicAuth.php(98): OC\\Share20\\Manager->checkPassword( sensitive parameters replaced )\n#6 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Auth\\/Backend\\/AbstractBasic.php(103): OCA\\DAV\\Connector\\PublicAuth->validateUserPass( sensitive parameters replaced )\n#7 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Auth\\/Plugin.php(182): Sabre\\DAV\\Auth\\Backend\\AbstractBasic->check(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#8 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Auth\\/Plugin.php(137): Sabre\\DAV\\Auth\\Plugin->check(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#9 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/event\\/lib\\/WildcardEmitterTrait.php(89): Sabre\\DAV\\Auth\\Plugin->beforeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#10 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Server.php(454): Sabre\\DAV\\Server->emit('beforeMethod:PR...', Array)\n#11 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Server.php(251): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#12 \\/var\\/www\\/owncloud\\/lib\\/composer\\/sabre\\/dav\\/lib\\/DAV\\/Server.php(319): Sabre\\DAV\\Server->start()\n#13 \\/var\\/www\\/owncloud\\/apps\\/dav\\/appinfo\\/v1\\/publicwebdav.php(105): Sabre\\DAV\\Server->exec()\n#14 \\/var\\/www\\/owncloud\\/public.php(75): require_once('\\/var\\/www\\/ownclo...')\n#15 {main}\",\"File\":\"\\/var\\/www\\/owncloud\\/apps-external\\/brute_force_protection\\/lib\\/Throttle.php\",\"Line\":112}"}

phil-davis commented 3 years ago

Please give more detail of the sequence that caused this, including versions of ownCloud10 upgrading from and to, versions of brute_force_protection app etc. Password-protected public links lock correctly for me after 3 incorrect attempts.

For example, I have logged in with a Chrome incognito browser tab and logged in and browsed in to sub-folder http://172.17.0.1:8080/index.php/s/oL5u1thzrsf4yaA?path=%2Fsub

Then I opened an incognito browser tab in Firefox, and put in a wrong password 4 times. The 4th time it correctly tells me "Too many failed attempts".

The Chrome incognito browser tab continues to work fine. I guess that it has some token that is still valid. I was thinking that it would get locked out, because it should be coming from the same IP address as the incognito Firefox.

twlun86 commented 3 years ago

Please give more detail of the sequence that caused this, including versions of ownCloud10 upgrading from and to, versions of brute_force_protection app etc. Password-protected public links lock correctly for me after 3 incorrect attempts.

For example, I have logged in with a Chrome incognito browser tab and logged in and browsed in to sub-folder http://172.17.0.1:8080/index.php/s/oL5u1thzrsf4yaA?path=%2Fsub

Then I opened an incognito browser tab in Firefox, and put in a wrong password 4 times. The 4th time it correctly tells me "Too many failed attempts".

The Chrome incognito browser tab continues to work fine. I guess that it has some token that is still valid. I was thinking that it would get locked out, because it should be coming from the same IP address as the incognito Firefox.

At first, i upgraded the version from 10.4.0 to 10.5.0 and version 10.4.0 was upgraded few times from initial 10.x version.

i tried the existing link with correct password, but it show error once i enter subfolder and i'm sure the credential is correct or otherwise i wouldn't be able to login.

Subsequently i tried generate a new password protected link, and access using incognito mode. Same error when click on subfolder, no issue when click on any files on parent folder.

The folder was accessible immediately after turn off Brute Force protection, and error came back right after i turn the protection on again. Tried to increate the protection threshold to 10 from default value of 5 but still no luck.

karakayasemi commented 3 years ago

Looks like same issue with https://github.com/owncloud/brute_force_protection/issues/138. It is resolved with a core update. Please upgrade your server version to 10.6 or apply this patch to your server https://github.com/owncloud/core/pull/38016.

If the problem still exist, please re-open the issue. Closing for now. Thanks.