those two issues probably came up as part of how your site is setup.
User Credentials sent in plain text
If you use https then the credentials will be encrypted as part of the users session with the site.
Login page guessing attack
I am not sure what they mean by this ? the login page for umbraco is well known, but once there the hacker would have to know an account name and the password.
as you are using the ADMembershipProvider, the active directory will probably lock an account after 10 unsuccessful login attempts so no one can brute force the accounts on your site.
if you are worried you can set up IP Based restrictions on the /umbraco/ part of the site(you can do this in IIS) and then only people from certain locations will be able to logon to your site.
Umbraco login can be hack?
As part of the vulnerability scan, we got below two Umbraco login issues
User Credentials sent in plain text
Login page guessing attack
We are using ADMembershipProvider to login to Umbraco back office
is it possible hacker can hack our details while login?
Mukesh,
You could set up the login to go over ssl then its encrypted?
Regards
Ismail
Hi,
those two issues probably came up as part of how your site is setup.
User Credentials sent in plain text If you use https then the credentials will be encrypted as part of the users session with the site.
Login page guessing attack I am not sure what they mean by this ? the login page for umbraco is well known, but once there the hacker would have to know an account name and the password.
as you are using the ADMembershipProvider, the active directory will probably lock an account after 10 unsuccessful login attempts so no one can brute force the accounts on your site.
if you are worried you can set up IP Based restrictions on the /umbraco/ part of the site(you can do this in IIS) and then only people from certain locations will be able to logon to your site.
thank you for active response both.
is working on a reply...