> When a user tries to login on the admin, with correct username & > password, but is_staff is set to False, the error message is > misleadingly wrong:
> "Please enter a correct username and password. Note that both fields > are case-sensitive."
> Ticket 15567 deals with this and is currently marked as wont fix. > After a lenghty discussion on
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
> To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
>> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en.
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
<cal.leem...@simplicitymedialtd.co.uk> wrote: > +1, if the user/pass is entered, that user is entitled so know what its own > permissions are. > The error should give "You have insufficient access to this page" or > something like that.
The thing is: if someone does a brute force attack on '/admin/' and gets this message back, they know there's a user with that login/password in the system. Since brute force attacks using common login/password pairs in this kinds of urls is so common, I think this exposes your user more than necessary.
+1 on making the error say more than incorrect username/password. That is confusing. In regards to leaking information about the user. The error message in general could be changed to something like this, of course with better wording:
"Username and password incorrect or access to this page restricted".
The current status is that we are telling the user something this is incorrect. I've actually run into this situation before where I had a user reset their password a few times before coming to me.
On Tue, Sep 13, 2011 at 12:18 PM, Jan Schotsmans <enlight...@gmail.com> wrote: > I can imagine several situation where you would like the user not to know > that, until they talk to an administrator. > -1 for me too, both giving away user info and giving info to the user that > would be better given by a talk to an administrator.
> 2011/9/13 Cal Leeming [Simplicity Media Ltd] > <cal.leem...@simplicitymedialtd.co.uk>
>> +1, if the user/pass is entered, that user is entitled so know what its >> own permissions are. >> The error should give "You have insufficient access to this page" or >> something like that. >> Cal
>> On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner <f.apollo...@gmail.com> >> wrote:
>>> -1, This would leak information about the users (But I am sure that's >>> discussed at length in the other threads)
>>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Django developers" group. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msg/django-developers/-/5iy7pazGNGkJ. >>> To post to this group, send email to django-developers@googlegroups.com. >>> To unsubscribe from this group, send email to >>> django-developers+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/django-developers?hl=en.
>> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en.
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.
But if he can guess those right, he could already access the users
information using the normal login! So giving this message does not
change the danger. On the other hand, it would prevent lots of
confusion.
But we are repeating arguments here, so could you please read:
> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
> <cal.leem...@simplicitymedialtd.co.uk> wrote:
> > +1, if the user/pass is entered, that user is entitled so know what its own
> > permissions are.
> > The error should give "You have insufficient access to this page" or
> > something like that.
> The thing is: if someone does a brute force attack on '/admin/' and
> gets this message back, they know there's a user with that
> login/password in the system. Since brute force attacks using common
> login/password pairs in this kinds of urls is so common, I think this
> exposes your user more than necessary.
+1 again. If a correct username and password combination are given, the person submitting the credentials should know that he doesn't have access just like cal pointed out. Its unfair and frustrating to say that the combination is wrong
>> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en.
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
On Sep 13, 8:24 pm, Adam Jenkins <emperorce...@gmail.com> wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with better wording:
> "Username and password incorrect or access to this page restricted".
+1. This solves the problem nicely. the login does not leak
information and the error message is correct.
On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote:
> Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right.
No! Assume the admin view is the only login view in your project (since it only consists of the admin or whatever), then if the attacker guesses the correct username/password he knows that the user/password is valid (if we take your approach) and doesn't need to try other passwords since you told him he is no admin… Given the current state he never can make that assumptions and might try further with the same user.
> So giving this message does not > change the danger. On the other hand, it would prevent lots of > confusion.
You assume that there is another login! Now you might say that my example is a bit obscure, but we do have some public sites with no admin which are managed by a dedicated admin instance (which has to be public [in the sense of reachable from everywhere] due to customer requests). So it does decrease security for us… I understand your point, but please don't assume that your proposed change can't leak information!
On Tue, Sep 13, 2011 at 12:27 PM, Anssi Kääriäinen <anssi.kaariai...@thl.fi>wrote:
> On Sep 13, 8:24 pm, Adam Jenkins <emperorce...@gmail.com> wrote: > > +1 on making the error say more than incorrect username/password. That > > is confusing. In regards to leaking information about the user. The > > error message in general could be changed to something like this, of > > course with better wording:
> > "Username and password incorrect or access to this page restricted".
> +1. This solves the problem nicely. the login does not leak > information and the error message is correct.
I'm also +1 on this solution. Although maybe "is" should be inserted before the word restricted.
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
Hmm, actually my text was supposed to go below the quotes, but apperently the new google interface is a bit buggy -- nevertheless I hope you still understand the point I am trying to make even without correct quoting order…
On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <wimfei...@gmail.com> wrote: > Hi, thanks for your quick responses!
> Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right.
I think this is the correct approach. Give them the access warning on correct login. It also seems to be the standard way to doing such things in my experience.
> But if he can guess those right, he could already access the users > information using the normal login! So giving this message does not > change the danger. On the other hand, it would prevent lots of > confusion.
We really shouldn't be confusing the end user. It's just bad design to do so.
> On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote: >> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
>> <cal.leem...@simplicitymedialtd.co.uk> wrote: >> > +1, if the user/pass is entered, that user is entitled so know what its own >> > permissions are. >> > The error should give "You have insufficient access to this page" or >> > something like that.
>> The thing is: if someone does a brute force attack on '/admin/' and >> gets this message back, they know there's a user with that >> login/password in the system. Since brute force attacks using common >> login/password pairs in this kinds of urls is so common, I think this >> exposes your user more than necessary.
>> -1
> -- > You received this message because you are subscribed to the Google Groups "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
> On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <wimfei...@gmail.com> wrote: >> Hi, thanks for your quick responses!
>> Flavio, Jan and Florian, it only "gives away information" when an >> attacker guesses both the username and the password right.
> I think this is the correct approach. Give them the access warning on > correct login. It also seems to be the standard way to doing such > things in my experience.
>> But if he can guess those right, he could already access the users >> information using the normal login! So giving this message does not >> change the danger. On the other hand, it would prevent lots of >> confusion.
> We really shouldn't be confusing the end user. It's just bad design to do > so.
>> But we are repeating arguments here, so could you please read:
>> On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote: >>> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
>>> <cal.leem...@simplicitymedialtd.co.uk> wrote: >>> > +1, if the user/pass is entered, that user is entitled so know what its >>> > own >>> > permissions are. >>> > The error should give "You have insufficient access to this page" or >>> > something like that.
>>> The thing is: if someone does a brute force attack on '/admin/' and >>> gets this message back, they know there's a user with that >>> login/password in the system. Since brute force attacks using common >>> login/password pairs in this kinds of urls is so common, I think this >>> exposes your user more than necessary.
>>> -1
>> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en.
> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en.
If a person brute forces your site and finds the correct username /
password they could try this on other sites (gmail, banking, etc..)
While it would make it a little more clear I think the implications
are too big.
On Sep 13, 3:14 pm, Adam Jenkins <emperorce...@gmail.com> wrote:
> On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <wimfei...@gmail.com> wrote:
> > Hi, thanks for your quick responses!
> > Flavio, Jan and Florian, it only "gives away information" when an
> > attacker guesses both the username and the password right.
> I think this is the correct approach. Give them the access warning on
> correct login. It also seems to be the standard way to doing such
> things in my experience.
> > But if he can guess those right, he could already access the users
> > information using the normal login! So giving this message does not
> > change the danger. On the other hand, it would prevent lots of
> > confusion.
> We really shouldn't be confusing the end user. It's just bad design to do so.
> > But we are repeating arguments here, so could you please read:
> > On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote:
> >> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
> >> <cal.leem...@simplicitymedialtd.co.uk> wrote:
> >> > +1, if the user/pass is entered, that user is entitled so know what its own
> >> > permissions are.
> >> > The error should give "You have insufficient access to this page" or
> >> > something like that.
> >> The thing is: if someone does a brute force attack on '/admin/' and
> >> gets this message back, they know there's a user with that
> >> login/password in the system. Since brute force attacks using common
> >> login/password pairs in this kinds of urls is so common, I think this
> >> exposes your user more than necessary.
> >> -1
> > --
> > You received this message because you are subscribed to the Google Groups "Django developers" group.
> > To post to this group, send email to django-developers@googlegroups.com.
> > To unsubscribe from this group, send email to django-developers+unsubscribe@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/django-developers?hl=en.
On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins <emperorce...@gmail.com> wrote: > +1 on making the error say more than incorrect username/password. That > is confusing. In regards to leaking information about the user. The > error message in general could be changed to something like this, of > course with better wording:
> "Username and password incorrect or access to this page restricted".
> The current status is that we are telling the user something this is > incorrect. I've actually run into this situation before where I had a > user reset their password a few times before coming to me.
+1 on this suggestion. This has no security implications and is clearly an improvement over the existing message.
-1 on the idea of having two separate messages. It gives away information, and regardless of whether that information is useful to an attacker, we should not be trying to predict that. We can't envision all possible scenarios, so we should just assume that the information *is* useful and avoid doing that.
I agree 100% with what Russ had to say on the ticket: leaking information about admin accounts isn't OK, and we won't change that.
If someone would like to submit a patch with different wording that covers all cases -- "this is an invalid user/password for admin access" or somesuch -- that's fine. Please open a new ticket for it so we don't get confused though. But having one and only one error message here is by design.
> I agree 100% with what Russ had to say on the ticket: leaking
> information about admin accounts isn't OK, and we won't change that.
> If someone would like to submit a patch with different wording that
> covers all cases -- "this is an invalid user/password for admin
> access" or somesuch -- that's fine. Please open a new ticket for it so
> we don't get confused though. But having one and only one error
> message here is by design.
