1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug #17357535 BACKPORT BUG#16241992 TO 5.5

Browse Source 
Problem:
COM_CHANGE_USER allows brute-force attempts to crack a password at a very high
rate as it does not cause any significant delay after a login attempt has
failed. This issue was reproduced using John-The-Ripper password
cracking tool through which about 5000 passwords per second could be attempted.

Solution:
The non-GA version's solution was to disconnect the connection when a login
attempt failed. Now since our aim to to reduce the rate at which passwords 
are tested, we introduced a sleep(1) after every login attempt failed. This
significantly increased the delay with which the password was cracked.
This commit is contained in:
Anirudh Mangipudi 2013-10-18 17:14:39 +05:30
parent 6f43d3cab7
commit 37502cfaae
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sql/sql_parse.cc
View File

@ -971,6 +971,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
thd->variables.collation_connection= save_collation_connection; thd->variables.collation_connection= save_collation_connection;
thd->variables.character_set_results= save_character_set_results; thd->variables.character_set_results= save_character_set_results;
thd->update_charset(); thd->update_charset();
sleep(1);
} }
else else
{ {