Refer to the priv_event_issue table in iTop. All failed login attempts are stored in here (at least for LDAP users). Both the username and password that the user attempted to enter in are stored as plaintext. Generally a failed attempt is only one or two characters away from the correct password, making it very easy to guess for a would-be attacker.
This is a critical vulnerability as anyone with access to the database, or even a database backup, will have the ability to see all failed attempts from all users including Directors, CTOs, Supervisors, Admins etc. etc. and goes beyond the scope of ITOP by making the entire Active Directory infrastructure vulnerable.
Please release an update to resolve this immediately!
Regards,
Reshad
Last edit: Reshad Al Rabeh 2017-04-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Refer to the priv_event_issue table in iTop. All failed login attempts are stored in here (at least for LDAP users). Both the username and password that the user attempted to enter in are stored as plaintext. Generally a failed attempt is only one or two characters away from the correct password, making it very easy to guess for a would-be attacker.
This is a critical vulnerability as anyone with access to the database, or even a database backup, will have the ability to see all failed attempts from all users including Directors, CTOs, Supervisors, Admins etc. etc. and goes beyond the scope of ITOP by making the entire Active Directory infrastructure vulnerable.
Please release an update to resolve this immediately!
Regards,
Reshad
Last edit: Reshad Al Rabeh 2017-04-12