Re: [Postfixadmin-devel] Security issue of error message while login failed

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

i work in an other project called "Gallery" and we hired a company  
(http://www.gdssecurity.com) to do a security audit for upcoming  
Gallery 1.6.
They devided the issues into 4 Exposure levels. (1 is highest, 4 is  
lowest). Username enumaration is categorized as level 3.

Issue overview:
"... This vulnerability combined with weak passwords and lack of  
account lockout significantly increases the possibility of account  
compromise via password guessing attacks."

Remediation Prodedure:
"The identified components should not return information that can be  
used to enumerate valud user-ids. Ideally, application repsonses for  
failed logins and password resets should be identical to prevent  
unintended username enumeration."

You are right, that the user gets a useful information, but also a  
potential hacker.

Regards,

Jens Tkotz

Quoting David Goodwin <da...@co...>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Zhang Huangbin wrote:
>> Hi, all.
>>
>> PostfixAdmin shows 'username is not correct' or 'password is not
>> correct' while login failed, is it safe? Because i can use it to guess
>> what user you have.
>>
>> Why not change them to same message: 'Username or password is not
>> correct'?
>>
>> Thanks for your hard work.
>>
>
> Hi,
>
> I understand the issue, however it is a useful feature to say "username
> incorrect" or "password incorrect" etc (at least the user has some idea
> of what they did wrong!).
>
> Does anyone else want to <insert 2cents> ? If not, I'll change it as per
> the suggestion within the next week....
>
>
> David.
>
> - --
> David Goodwin
>
> [ david at codepoets dot co dot uk ]
> [ http://www.codepoets.co.uk       ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJBY3w/ISo3RF5V6YRAgadAKCEnmmrav4yB0l6rlY9whPhZNhO2gCfYQZS
> iAhOvdZMXx5ho4lDpuL1qYY=
> =tS4S
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Postfixadmin-devel mailing list
> Pos...@li...
> https://lists.sourceforge.net/lists/listinfo/postfixadmin-devel
>

-- 

Ich sag mal .... Charisma