#65 Security: Information leakage on failed login

1 Gold - SP 1.3.1

In most systems, failed login attempts simply result in
a "failed login" message or something similar. They
don't specify whether the username was wrong or the
password was wrong. With YABB, if a user tries to log
in with a bogus username, he is told "Username does not
exist". If he tries a valid username and the wrong
password, he is told "Password incorrect". An
attacker's job is therefore made easier.

I attach trivial patches in English, it'll need
translating for other languages. I will announce this
on bugtraq if I don't hear anything in one week,
although if you need more time or would prefer to
announce it yourselves please let me know by emailing


  • Tim Ceuppens

    Tim Ceuppens - 2004-03-17

    Logged In: YES

    Thanks for alerting us about this,

    we will look into this

  • Torsten Mrotz

    Torsten Mrotz - 2004-11-03
    • priority: 5 --> 4
  • Torsten Mrotz

    Torsten Mrotz - 2004-12-09
    • status: open --> closed
  • Torsten Mrotz

    Torsten Mrotz - 2004-12-09

    Logged In: YES

    in SP2 the user will get the same error message if he entered
    a wrong password AND/OR an invalid username

  • Torsten Mrotz

    Torsten Mrotz - 2004-12-09
    • priority: 4 --> 3

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks