#65 Security: Information leakage on failed login

1 Gold - SP 1.3.1
closed
nobody
None
3
2004-12-09
2004-02-05
David Cantrell
No

In most systems, failed login attempts simply result in
a "failed login" message or something similar. They
don't specify whether the username was wrong or the
password was wrong. With YABB, if a user tries to log
in with a bogus username, he is told "Username does not
exist". If he tries a valid username and the wrong
password, he is told "Password incorrect". An
attacker's job is therefore made easier.

I attach trivial patches in English, it'll need
translating for other languages. I will announce this
on bugtraq if I don't hear anything in one week,
although if you need more time or would prefer to
announce it yourselves please let me know by emailing
<david@cantrell.org.uk>.

Discussion

  • David Cantrell
    David Cantrell
    2004-02-05

    Patches

     
    Attachments
  • Tim Ceuppens
    Tim Ceuppens
    2004-03-17

    Logged In: YES
    user_id=267827

    Thanks for alerting us about this,

    we will look into this

     
  • Torsten Mrotz
    Torsten Mrotz
    2004-11-03

    • priority: 5 --> 4
     
  • Torsten Mrotz
    Torsten Mrotz
    2004-12-09

    • status: open --> closed
     
  • Torsten Mrotz
    Torsten Mrotz
    2004-12-09

    Logged In: YES
    user_id=289236

    in SP2 the user will get the same error message if he entered
    a wrong password AND/OR an invalid username

     
  • Torsten Mrotz
    Torsten Mrotz
    2004-12-09

    • priority: 4 --> 3