Security Update

Posted At : March 9, 2007 11:25 AM | Posted By : Raymond Camden
Related Categories: BlogCFC

I just released a security update. It address two issues. Please download like - um - now.

Comments (5) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 3250 Views
Comments
[Add Comment]
Scott P's Gravatar In trying to figure out why the delay, I came across this that help to explain it.


From: http://www.wwwcoder.com/Default.aspx?tabid=68&...

A better strategy for blocking any brute force attack is to incrementally delay the page response after failed login attempts. After the first failed login attempt, for example, the response would be delayed by one second. After the second failed attempt, the response would be delayed by two seconds, and so on. A one-, two-, or even six-second delay is probably not going to bother a human userdh too seriously. Certainly he will find it less irritating than having to wait 30 minutes for his account to reactivate because he accidentally left his caps lock key on. On the other hand, an incrementing delay can completely defeat an automated tool being used for a brute force attack. Assuming the tool could normally make ten requests per second, the time it would take to make one thousand requests would jump from two minutes to five days. This pretty much renders the brute force attack tool useless. An incrementing delay also solves the problem of the attacker holding the password constant and varying the username. Since the system tracks failed login attempts on a user session basis and not an authentication credential basis, the delay logic cannot be bypassed this way.
# Posted By Scott P | 3/9/07 1:49 PM
Shlomy Gantz's Gravatar You mean something like this :

<cfparam name="session.FailedLogin" default="0" >
<cfset session.FailedLogin = session.FailedLogin +1>
<cfset createObject("java", "java.lang.Thread").sleep(JavaCast("int", session.FailedLogin*500))>
# Posted By Shlomy Gantz | 3/10/07 3:20 AM
Rob Brooks-Bilson's Gravatar Hi Ray,

What are the two issues? Email me if you don't want to post here.
# Posted By Rob Brooks-Bilson | 3/10/07 6:29 AM
Shlomy Gantz's Gravatar the issue is http://blogcfc.riaforge.org/index.cfm?event=page.i...
# Posted By Shlomy Gantz | 3/10/07 10:34 AM
Scott P's Gravatar @Shlomy - just to be clear, the text in my comment was cut-n-pasted from the link. The other paragraphs on the page are what the author was referring to by a better strategy.

But in answer to your question, yes something exactly like you posted.


thanks
# Posted By Scott P | 3/10/07 10:41 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.6.001.