> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
--
Sent from my mobile device
-1, This would leak information about the users (But I am sure that's discussed at length in the other threads)
--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/5iy7pazGNGkJ.
The thing is: if someone does a brute force attack on '/admin/' and
gets this message back, they know there's a user with that
login/password in the system. Since brute force attacks using common
login/password pairs in this kinds of urls is so common, I think this
exposes your user more than necessary.
-1
"Username and password incorrect or access to this page restricted".
The current status is that we are telling the user something this is
incorrect. I've actually run into this situation before where I had a
user reset their password a few times before coming to me.
On 9/13/11, Cal Leeming [Simplicity Media Ltd]
--
Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.
So giving this message does not
change the danger. On the other hand, it would prevent lots of
confusion.
- Anssi
I think this is the correct approach. Give them the access warning on
correct login. It also seems to be the standard way to doing such
things in my experience.
>
> But if he can guess those right, he could already access the users
> information using the normal login! So giving this message does not
> change the danger. On the other hand, it would prevent lots of
> confusion.
We really shouldn't be confusing the end user. It's just bad design to do so.
>
> But we are repeating arguments here, so could you please read:
>
> http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef
>
> before responding?
>
> Thanks!
>
> Wim
>
>
> On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote:
>> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
>>
>> <cal.leem...@simplicitymedialtd.co.uk> wrote:
>> > +1, if the user/pass is entered, that user is entitled so know what its own
>> > permissions are.
>> > The error should give "You have insufficient access to this page" or
>> > something like that.
>>
>> The thing is: if someone does a brute force attack on '/admin/' and
>> gets this message back, they know there's a user with that
>> login/password in the system. Since brute force attacks using common
>> login/password pairs in this kinds of urls is so common, I think this
>> exposes your user more than necessary.
>>
>> -1
>
> --
> You received this message because you are subscribed to the Google Groups "Django developers" group.
--
+1 on this suggestion. This has no security implications and is
clearly an improvement over the existing message.
-1 on the idea of having two separate messages. It gives away
information, and regardless of whether that information is useful to
an attacker, we should not be trying to predict that. We can't
envision all possible scenarios, so we should just assume that the
information *is* useful and avoid doing that.
I agree 100% with what Russ had to say on the ticket: leaking
information about admin accounts isn't OK, and we won't change that.
If someone would like to submit a patch with different wording that
covers all cases -- "this is an invalid user/password for admin
access" or somesuch -- that's fine. Please open a new ticket for it so
we don't get confused though. But having one and only one error
message here is by design.
Thanks!
Jacob