Comment 0 for bug 579942

I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.

When an incorrect user name is supplied to the login page the following error is returned:

 Error: Incorrect password

 As compared to an invalid user name which gives:

 Error: Username '' not found

Once a valid username has been identified it is then possible to brute force the password without any account lock out.