|Applies To||RSA ClearTrust 5.5.2 Authorization Server (AServer)|
RSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
|Issue||A locked-out user presenting valid password is redirected to invalid password page in RSA ClearTrust|
RSA ClearTrust Agent redirects a locked-out user presenting a valid or an invalid password to the locked-out page (i.e. the page configured for cleartrust.agent.login_auth_user_locked_out in webagent.conf). This behavior of the Agent reveals information on existence of a valid userid (and its locked-out status) to potential unauthorized user.
The order of verifying password and checking locked-out status has changed in RSA ClearTrust 5.5.3. With ClearTrust 5.5.3, the Agent would redirect a locked-out user to the locked-out page (cleartrust.agent.login_auth_user_locked_out) - only if the user enters a valid password. If an invalid password is presented for the locked-out userid, the user would be redirected to the invalid password page (cleartrust.agent.login_error_pw_location_basic).
RSA ClearTrust Agent is dependent on status returned by the ClearTrust Authorization server. ClearTrust Authorization server returns locked-out status (ADMIN_LOCKOUT) to Agent without verifying the password (locked-out status is checked before the password is verified). This results in the Agent redirecting a locked-out user to the locked-out page without verifying the password.
|Legacy Article ID||a24312|