Hi
This is a bug I've noticed with the software. Bear with me while I give the details.
Joomla: 1.5.18
PHP: 5.3.2
RSFirewall: 1.0.0 Rev 15
As we're using Joomla! as an intranet, we've turned on the Authentication - LDAP plugin, so users use their network username and password to login. This works fine, and creates a new user for this person.
When it creates the user, however, it doesn't save the password to the users table. This doesn't affect our users, as they only need to be authenticated.
However, RSFirewall is looking to make sure no un-authenticated users get in, and logs any unsuccessful attempts. RSFirewallHelper::checkLoginAttempts() is the function that does this, but it does it wrong. It checks to see if a username exists by checking to see if a query on the username supplied by the login attempt returns a password. As our users are created by LDAP, the logic check says that the user doesn't exist because the password field in the DB is blank. It then logs the username and password in the clear, in the database, for a successful login, as if it was an unsuccessful login. This is a huge security hole for us, so I've hacked the code to stop it storing passwords for login attempts.
For compatibility purposes, can I suggest this section of the code be changed? First off, check the number of returned rows, rather then whether the password is greater then 0. This will limit false positives.
Secondly, provide an administration option to turn off this section of the code. If I implement the first suggestion, I'm going to get an alert with a status of high on every successful login. As it is, I get one of medium, but I can deal with that. Ideally the active scanner would note whether the user was authenticated rather then whether the passwords matched, to handle authentication plugins other then the default Joomla! one.
Let me know if you need any more details.
--- Ben
