I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.
When an incorrect user name is supplied to the login page the following error is returned:
Error: Incorrect password
As compared to an invalid user name which gives:
Error: Username '' not found
Once a valid username has been identified it is then possible to brute force the password without any account lock out.
I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.
When an incorrect user name is supplied to the login page the following error is returned:
Error: Incorrect password
As compared to an invalid user name which gives:
Error: Username '' not found
Once a valid username has been identified it is then possible to brute force the password without any account lock out.