What steps will reproduce the problem?
1. Enter sufficient bad passwords or bad answers to challenge questions to
cause an LDAP directory lockout.
2. Close browser
3. Open browser and navigate to forgotten password
4. Search for email address
5. User is presented with a challenge question
6. If the user answers the challenge question incorrectly, he/she is advised
that he/she is locked out.
What is the expected output? Given that the user is locked out, he/she should
not be allowed to try a challenge question at step 5. This should only be
allowed after the lockout period has expired.
What do you see instead? The user sees a challenge question every time he/she
restarts the browser and navigates to the forgotten password page.
What version of PWM are you using? 1.7.1
What ldap directory and version are you using? Active Directory Windows 2008.
Comment and proposed solution:
It seems clear that the forgotten password servlet in 1.7.1 allows the
presentation of a challenge question immediately after a successful user
search. Only after such a question is answered incorrectly does PWM see that
the user is locked out. There is a test following the user search process, but
this test only determines whether or not a user has been found.
To correct the logic, as second test needs to be added. The LDAPChaiUser
object's IS_LOCKED attribute should be checked and the user should be advised
and an error thrown if the attribute is true.
This is a moderately serious bug as it allows unlimited attempts at the
challenge questions which may be more guessable than passwords. Limiting the
number of attempts at challenge questions should be a matter of policy.
Please paste any error log messages below: N/A - there is no error.
Original issue reported on code.google.com by michaelc...@gmail.com on 17 Feb 2015 at 9:57
Original issue reported on code.google.com by
michaelc...@gmail.comon 17 Feb 2015 at 9:57