A bug in the WebUI can lead to disclosure of the credentials of previously logged in users. Under certain conditions a local, physical attacker can get access to passwords of previously logged in users from the WebUI. Details Preconditions This problem occurs, if the following conditions apply: A logged in […]
Security
7 posts
A bug in the passOnNoUser policy allows authentication with an arbitrary password. Affected version: up to privacyIDEA 2.11.2 Propability: Medium Security Severity: High Technical Background The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user […]
Dmitri Pal blogged about the offline functionalities of the SSSD with RHEL 7.2. These SSSD offline functionalities is intended to increase performance to not contact the IdM server all the time. I wonder if the timeout can not only set to some seconds but also to go offline with the client. […]
Today is the Data Privacy Day. In Europe it is called Data Protection Day. Data Privacy Day This day is foremost ment to sensitize companies and users to take care when handling with private data. Especially in social media. But you can not devide your social life from your work […]
With SMS OTP a one time password is sent to a mobile phone. The user is supposed to enter this one time password in addition to his static password. This way, the authenticating party thinks to verify, that the user is in the possession of the mobile phone. This is […]
Today I added the crypto considerations to the FAQ section of the privacyIDEA documentation. Users who might want to use privacyIDEA will wonder how crypto is handled. So this makes it easier for them to get a first impression without having to study the source code. In fact this is also a […]
A bug in the LDAP Resolver can lead to unauthorized access as an LDAP user. Under certain conditions a rogue user can login as an LDAP user to the privacyIDEA web UI or guess a static password part during authentication when the policy scope=authentication, otppin=userstore is used. Details Preconditions This problem […]