please reopen ticket 15567

[Wim Feijen]

Hello,

When a user tries to login on the admin, with correct username &
password, but is_staff is set to False, the error message is
misleadingly wrong:

"Please enter a correct username and password. Note that both fields
are case-sensitive."

Ticket 15567 deals with this and is currently marked as wont fix.
After a lenghty discussion on

http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef

the general consensus seems in favor of changing the error message and
thus to re-open the ticket.

Could the ticket please be reopened?

Thanks,

Wim

Ticket 15567:
https://code.djangoproject.com/ticket/15567

A patch:
https://code.djangoproject.com/attachment/ticket/16834/admin_not_allowed.diff

[Babatunde Akinyanmi]

+1

> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>

--
Sent from my mobile device

[Florian Apolloner]

-1, This would leak information about the users (But I am sure that's discussed at length in the other threads)

[Cal Leeming [Simplicity Media Ltd]]

+1, if the user/pass is entered, that user is entitled so know what its own permissions are. 

The error should give "You have insufficient access to this page" or something like that.

Cal

On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner <f.apo...@gmail.com> wrote:

-1, This would leak information about the users (But I am sure that's discussed at length in the other threads)

--
You received this message because you are subscribed to the Google Groups "Django developers" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/5iy7pazGNGkJ.

[Jan Schotsmans]

I can imagine several situation where you would like the user not to know that, until they talk to an administrator.

-1 for me too, both giving away user info and giving info to the user that would be better given by a talk to an administrator.

2011/9/13 Cal Leeming [Simplicity Media Ltd] <cal.l...@simplicitymedialtd.co.uk>

[Flávio Amieiro]

On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
<cal.l...@simplicitymedialtd.co.uk> wrote:
> +1, if the user/pass is entered, that user is entitled so know what its own
> permissions are.
> The error should give "You have insufficient access to this page" or
> something like that.

The thing is: if someone does a brute force attack on '/admin/' and
gets this message back, they know there's a user with that
login/password in the system. Since brute force attacks using common
login/password pairs in this kinds of urls is so common, I think this
exposes your user more than necessary.

-1

[Adam Jenkins]

+1 on making the error say more than incorrect username/password. That
is confusing. In regards to leaking information about the user. The
error message in general could be changed to something like this, of
course with better wording:

"Username and password incorrect or access to this page restricted".

The current status is that we are telling the user something this is
incorrect. I've actually run into this situation before where I had a
user reset their password a few times before coming to me.

[Wim Feijen]

Hi, thanks for your quick responses!

Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.

But if he can guess those right, he could already access the users
information using the normal login! So giving this message does not
change the danger. On the other hand, it would prevent lots of
confusion.

But we are repeating arguments here, so could you please read:

http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef

before responding?

Thanks!

Wim

On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote:
> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
>

[Babatunde Akinyanmi]

+1 again.
If a correct username and password combination are given, the person
submitting the credentials should know that he doesn't have access
just like cal pointed out. Its unfair and frustrating to say that the
combination is wrong

On 9/13/11, Cal Leeming [Simplicity Media Ltd]

--

[Anssi Kääriäinen]

On Sep 13, 8:24 pm, Adam Jenkins <emperorce...@gmail.com> wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with better wording:
>
> "Username and password incorrect or access to this page restricted".

+1. This solves the problem nicely. the login does not leak
information and the error message is correct.

- Anssi

[Florian Apolloner]

Hi,

On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote:

Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.

No! Assume the admin view is the only login view in your project (since it only consists of the admin or whatever), then if the attacker guesses the correct username/password he knows that the user/password is valid (if we take your approach) and doesn't need to try other passwords since you told him he is no admin… Given the current state he never can make that assumptions and might try further with the same user.

 

So giving this message does not
change the danger. On the other hand, it would prevent lots of
confusion.

You assume that there is another login! Now you might say that my example is a bit obscure, but we do have some public sites with no admin which are managed by a dedicated admin instance (which has to be public [in the sense of reachable from everywhere] due to customer requests). So it does decrease security for us… I understand your point, but please don't assume that your proposed change can't leak information!

Cheers,
Florian

[Paul Egges]

I'm also +1 on this solution. Although maybe "is" should be inserted before the word restricted.

Paul

 

 - Anssi

[Florian Apolloner]

Hmm, actually my text was supposed to go below the quotes, but apperently the new google interface is a bit buggy -- nevertheless I hope you still understand the point I am trying to make even without correct quoting order…

[Adam Jenkins]

On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <wimf...@gmail.com> wrote:
> Hi, thanks for your quick responses!
>
> Flavio, Jan and Florian, it only "gives away information" when an
> attacker guesses both the username and the password right.

I think this is the correct approach. Give them the access warning on
correct login. It also seems to be the standard way to doing such
things in my experience.

>
> But if he can guess those right, he could already access the users
> information using the normal login! So giving this message does not
> change the danger. On the other hand, it would prevent lots of
> confusion.

We really shouldn't be confusing the end user. It's just bad design to do so.

>
> But we are repeating arguments here, so could you please read:
>
> http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef
>
> before responding?
>
> Thanks!
>
> Wim
>
>
> On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote:
>> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
>>
>> <cal.leem...@simplicitymedialtd.co.uk> wrote:
>> > +1, if the user/pass is entered, that user is entitled so know what its own
>> > permissions are.
>> > The error should give "You have insufficient access to this page" or
>> > something like that.
>>
>> The thing is: if someone does a brute force attack on '/admin/' and
>> gets this message back, they know there's a user with that
>> login/password in the system. Since brute force attacks using common
>> login/password pairs in this kinds of urls is so common, I think this
>> exposes your user more than necessary.
>>
>> -1
>

> --
> You received this message because you are subscribed to the Google Groups "Django developers" group.

[Babatunde Akinyanmi]

The correct approach is to give a "one size fits all" error message.
While security is important, so also is user experience.

--

[silent1mezzo]

-1

If a person brute forces your site and finds the correct username /
password they could try this on other sites (gmail, banking, etc..)
While it would make it a little more clear I think the implications
are too big.

On Sep 13, 3:14 pm, Adam Jenkins <emperorce...@gmail.com> wrote:

> On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <wimfei...@gmail.com> wrote:
> > Hi, thanks for your quick responses!
>
> > Flavio, Jan and Florian, it only "gives away information" when an
> > attacker guesses both the username and the password right.
>
> I think this is the correct approach. Give them the access warning on
> correct login. It also seems to be the standard way to doing such
> things in my experience.
>
>
>
> > But if he can guess those right, he could already access the users
> > information using the normal login! So giving this message does not
> > change the danger. On the other hand, it would prevent lots of
> > confusion.
>
> We really shouldn't be confusing the end user. It's just bad design to do so.
>
>
>
>
>
>
>
>
>
> > But we are repeating arguments here, so could you please read:
>

> >http://groups.google.com/group/django-developers/browse_thread/thread...

[Ian Kelly]

On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins <empero...@gmail.com> wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with better wording:
>
> "Username and password incorrect or access to this page restricted".
>
> The current status is that we are telling the user something this is
> incorrect. I've actually run into this situation before where I had a
> user reset their password a few times before coming to me.

+1 on this suggestion. This has no security implications and is
clearly an improvement over the existing message.

-1 on the idea of having two separate messages. It gives away
information, and regardless of whether that information is useful to
an attacker, we should not be trying to predict that. We can't
envision all possible scenarios, so we should just assume that the
information *is* useful and avoid doing that.

[Jacob Kaplan-Moss]

Hi folks --

I agree 100% with what Russ had to say on the ticket: leaking
information about admin accounts isn't OK, and we won't change that.

If someone would like to submit a patch with different wording that
covers all cases -- "this is an invalid user/password for admin
access" or somesuch -- that's fine. Please open a new ticket for it so
we don't get confused though. But having one and only one error
message here is by design.

Thanks!

Jacob

[Wim Feijen]

Ladies and gentlemen,

Thanks for all the feedback, a patch is in ticket 16837:
https://code.djangoproject.com/ticket/16837

Feel free to try and review the patch.

Best regards and for now, good night.

Wim