Lockout policies are not properly applied to LDAP and Domain Users #4579
Comments
TheWitness
added
bug
TheWitness
added a commit
that referenced
this issue
Feb 27, 2022
#4578, #4574 -security#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks -security#4579: Cacti account lockout policies are not properly applied to LDAP and Domain Users -issue#4573: The Cacti permission system does not scale to very large installations -issue#4575: When you delete a user, their 'remember me' cookie data is not automatically removed -issue#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks -issue#4577: Cacti allows you to disable the currently logged in administrator disabling the user -issue#4578: The Cacti login algorithm is complicated to understand due to too much strait line code -feature#4574: Cacti needs some additional permission methods for larger installations This change properly documents the file lib/auth.php using phpDocument format, and performed multiple sanity and readability changes such as the renaming of variables commonly used in multiple functions. The the restructuring of the three authentication files: - auth_login.php - include/auth.php - lib/auth.php Makes the code more readable, it's not a complete solution, however, it is much easier to follow now.
netniV
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
Due to the complexity of the authentication code, the case where LDAP users should be applied a lockout policy was missed. This can cause opportunities for Cacti to be used to compromise LDAP security when the LDAP does not do this for itself.
Expected behavior
Cacti should allow these users to be locked out after a certain number of attempts.
The text was updated successfully, but these errors were encountered: