In most systems, failed login attempts simply result in
a "failed login" message or something similar. They
don't specify whether the username was wrong or the
password was wrong. With YABB, if a user tries to log
in with a bogus username, he is told "Username does not
exist". If he tries a valid username and the wrong
password, he is told "Password incorrect". An
attacker's job is therefore made easier.
I attach trivial patches in English, it'll need
translating for other languages. I will announce this
on bugtraq if I don't hear anything in one week,
although if you need more time or would prefer to
announce it yourselves please let me know by emailing
Log in to post a comment.