I've recently reported a bug[1] in django but got advice to discuss it
here on django-developers first.
When a user having is_staff=False provides correct username and password
to admin login page, he gets a message "Please enter a correct username
and password. Note that both fields are case-sensitive." This message is
wrong, because username and password are correct. Proper message should be
something like "You do not have permissions to enter admin area."
I want to emphasize once more that when username/password combination is
wrong, message should be about wrong credentials. But when
username/password combination is correct, message should be about
permissions.
Russellm opposed that idea saying: "This isn't a good idea, because it can
be used by an attacker to identify admin accounts. This would be a leak of
potentially sensitive information, narrowing the scope for any attack."
I consider that point not valid for following reasons:
* If attacker has no access to any login or password, he will still see
"wrong password" message.
* If attacker has access to login and password of one user, it won't help
him to know that this user is not an admin.
* If attacker knows all logins and passwords, proposed change won't make
attack any easier: attacker will just try them one after another.
That's why I think that proposed change doesn't weaken security and should
be implemented.
I'm strongly in favor of this change, because my mind was blown off when
during debug I could login to a site with my credentials, but not to admin
section. I've lost some time looking for a bug in my code until I checked
is_staff flag.
1: http://code.djangoproject.com/ticket/15567
--
arty ( http://arty.name )
I think the current behavior is also eventually detrimental to security.
In a real life setting this leads to superfluous password resets and
helpdesk queries - all leading to worse password choices by the common
user, besides the wasted time and effort.
Obviously, the new message should only be shown if the usernamd and
password are matched correctly.
Yishai
Sergiy
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
This is only a valid criticism if obscurity is your *only* source of
security. However, there's no reason that obscurity can't form one of
*many* barriers.
A good lock should be able to withstand the publication of all the
specifications for how the lock works, but that doesn't mean you have
to make an intruder's life easy by going out of your way to actually
publish those specifications. Every extra piece of obscurity is one
more piece of information that a potential attacker will need to
determine before they can commence an attack.
Yours,
Russ Magee %-)
That's fine. Why give more information than necessary?
You can not enter and that's it.
This is not an error because it is done so on purpose.
Less is more.
-3
What is the benefit for the user from this information ? He can't do
anything about it anyway, except for contacting the administrator of
the system. Ordinary users shouldn't even know that the admin
interface exists.
I can imagine a confused staff memeber, that didn't got his account
activated properly, but this can be fixed by putting extra help on
your admin's login page, imho.
--
Łukasz Rekucki
- Niran
2011/3/11 Łukasz Rekucki <lrek...@gmail.com>:
Yet some people try to hide this open information from good users.
That's a very common error in security efforts: make life of good people
harder while nothing changes for bad guys.
> That's fine. Why give more information than necessary?
> You can not enter and that's it.
> This is not an error because it is done so on purpose.
> Less is more.
If an attacker is brute forcing logins, providing a nondescript error
message here makes life harder.
-Paul
"I want to emphasize once more that when username/password combination is
wrong, message should be about wrong credentials. But when
username/password combination is correct, message should be about
permissions."
Bruteforcing isn't related to desired behavior in any way.
If an attacker is brute forcing logins, providing a nondescript error
message here makes life harder.
> I'm quoting first message in thread:
>
> "I want to emphasize once more that when username/password combination is wrong, message should be about wrong credentials. But when username/password combination is correct, message should be about permissions."
>
> Bruteforcing isn't related to desired behavior in any way.
Almost by definition, in a brute force attack you don't know any valid credentials. The purpose of the attack is to discover valid ones.
If I'm a smart attacker, I will pay attention to the error message I get back from my failed login attempts. If I'm attacking an admin login page and I get told "You don't have permissions to log into the admin page" or "Use a valid admin account" then I know that I very likely have discovered a valid username and password for logging into the non-admin part of the site, which is a breach of security. I will now go login as this user and begin seeing what sorts of holes are available to me from there.
How is this fundamentally any different from a message that says "Wrong password for that username?" Are you advocating that it's better design to tell brute force attackers whenever they hit upon a valid username, because its clearer to valid users what the error is?
As for the error confusing valid users, I fail to see the issue. Users should know already whether they are admins on a site or not, that shouldn't be something they need to discover for themselves.
Walter
If you're a smart attacker, you won't bruteforce credentials for admin
site, you will bruteforce credentials for main site. This way you'd get
much more credentials, if credentials for main site are good enough for
you.
If credentials for main site aren't good enough and you need credentials
for admin site then yes, you'd bruteforce admin site, but you won't in any
way benefit from knowing that some credentials are ok for main site only.
Whoops hit send instead of delete.
--
:: juanpex
> I understand that the "correct" message is another, but I do not see
> why it has to amend the current when the change is more vulnerable end
> up leaving the system.
> To me what should be discussed now is not whether to put the correct
> message or not (because that is "correct "), you should discuss
> whether to allow changes made in some way, compromise security.
This is one of my bug-bears with the current authentication system -
it has no concept of role. The current action when an identified user
visits the admin site is to display a login form, which is totally
wrong in my opinion. The user has already presented credentials, which
we have accepted, so why should we expect them to have another
different set of credentials?
Similarly, most restricted access views are currently protected by the
login_required decorator. Again, this is pretty good, but it doesn't
solve the authorization issue. With the vast majority of views I
decorate with @login_required, I actually need three states:
Unidentified -> login page
Identified, but no access -> homepage, with error message
Identified, access -> allow through
From the AAA, Django currently only really provides Authentication
(auth) and Access Controls (permissions). It doesn't really provide
any mechanism for Authorization.
In my projects, we have utilized _ExtendedCheckLogin (the class from
which @login_required is built around in 1.2 IIRC) to provide
@user_passes_test decorator, which takes a lambda function which is
called with the current user, and @logged_in_permission_required,
which is a specialization of @user_passes_test that simply takes a
permission name.
So, why am I jabbering about AAA, when this is about correctness of an
error message on the admin site? Well, the two dovetail quite nicely.
Imagine that django has this full AAA support. The admin views are no
longer decorated with @login_required, since they require a lot more
than that. Instead, they look something like this:
@user_passes_test(lambda u: u.is_staff or u.is_superuser)
def index(request):
...
Now this whole argument is moot. If the logged in user does not have
access to the admin site, they are sent to the homepage with a message
explaining that they don't have access. If they aren't logged in, they
get sent to the login page in order to do so. We now never have to
confuse our users by showing a logged in user a login form.
Now lets examine the extra information we may be leaking to an attacker:
If the site has both admin login, and regular login, then there is no
additional risk; an attacker detecting that a user account exists and
that they have the right credentials for that user by detecting a
change in error message from logging into a protected resource that
the user does not have access to is no different than an attacker
confirming an account exists and they have the right credentials by
actually logging into the account in the main interface.
If the site only has admin login, then the attacker would be able to
determine that there is a user account with these credentials.
However, this would be credentials for a user who cannot themselves
log into the site, making them of limited usefulness.
I hope this wasn't too long to read!
Cheers
Tom
Which might be a valid concern if your public-facing login interface
highly protected, but your admin interface is not (for example,
because it's only available on your protected intranet). Sure, it's
the edgiest of edge cases and if you care enough, you should have
applied the same security measures in the first place. So yes, this
most likely is not a security issue at all.
OTOH, I don't see a valid usage scenario not involving an admin who
has 2 accounts in the system and forgot which one was the proper one.
Now we can bikeshed to all eternity that the message is wrong (it's a
bit right too - you didn't gave valid creditials for this site. The
fact that your main site and admin site use the same user base is an
implementation detail), but that won't help anyone.
Anyway, Django 1.3 add an option to change the auth form used by
admin[1], so changing that message isn't that hard now. Another option
I already mentioned is adding extra help text in the template (you can
even make it display only if the form is invalid).
[1]: http://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.AdminSite.login_form
PS. If you're really concerned about messages from admin you should be
really outraged by _("Your e-mail address is not your username. Try
'%s' instead.") % user.username
--
Łukasz Rekucki
<skip>
> PS. If you're really concerned about messages from admin you should be
> really outraged by _("Your e-mail address is not your username. Try
> '%s' instead.") % user.username
That example is bad, but not misleading. Message about wrong credentials
is misleading. It misled me to waste whole hour figuring out what's wrong
with my login system - that's a usage scenario I want to fix.
Scenario: developer uses django to create a site, has is_staff=False for
some reason, django actively prevents debugging that issue.
Which might be a valid concern if your public-facing login interface
highly protected, but your admin interface is not (for example,
because it's only available on your protected intranet). Sure, it's
the edgiest of edge cases and if you care enough, you should have
applied the same security measures in the first place. So yes, this
most likely is not a security issue at all.
> This is one of my bug-bears with the current authentication system -
> it has no concept of role. The current action when an identified user
> visits the admin site is to display a login form, which is totally
> wrong in my opinion. The user has already presented credentials, which
> we have accepted, so why should we expect them to have another
> different set of credentials?
>
> Similarly, most restricted access views are currently protected by the
> login_required decorator. Again, this is pretty good, but it doesn't
> solve the authorization issue. With the vast majority of views I
> decorate with @login_required, I actually need three states:
>
> Unidentified -> login page
> Identified, but no access -> homepage, with error message
> Identified, access -> allow through
Spot on, IMO - it's muddling authentication and authorization up
together. The user is authenticated, and shouldn't be arbitrarily given
the impression that they're not when they try to access a page to which
they don't have access. There's nothing "special" about the admin here,
except that it is provided as part of the "batteries included". How does
your site respond when a user tried to access any other URL to which
they are denied access? Whatever happens there is probably what should
happen when they try to access the admin. It could be a 403, a redirect
to homepage, a forced logout with disabling of account and email to
admin, could be all sorts of things, depending on the site.
The question should probably be "how can we allow the developer to
specify the desired behaviour when the user attempts to access a URL to
which they have no access?" - subject to the usual provision of sensible
defaults etc.
Cheers,
Nick
--
Nick Phillips / +64 3 479 4195 / nick.p...@otago.ac.nz
# these statements are my own, not those of the University of Otago
Carelessness or neglect of a click in the admin should't call into
question the admin with the justification "that does not happen
again."
If the application is used only in Intranet or not is entirely
separate from whether to put the right message or not.
I think if everyone is going to fix "contrib" to your needs the
contrib lost all independence.
1.3 will create a special form and then you can change the message.
I do not think the amendment is necessary.
Regards,
The admin is not "one more app" is (if I may) the app with more weight
on most sites. Someone who has access to the admin has access to most
or all information. There is no "one more app. "
Carelessness or neglect of a click in the admin should't call into
question the admin with the justification "that does not happen
again."
I think if everyone is going to fix "contrib" to your needs the
contrib lost all independence.
On Wed, 16 Mar 2011 06:11:18 +0200, Tai Lee <real....@mrmachine.net>
wrote:
> I also don't think it should be considered a security vulnerability to
> reveal that an authenticated user does not have permission to access
> the admin (or any other) app.
>
> If the credentials are valid and they authenticate against the defined
> authentication backends, then we should assume that we are talking to
> a trusted authenticated user and we should present error messages that
> are at the very least not misleading.
>
> Assuming that any authenticated user might be an attacker who has
> brute forced a password and presenting obscure error messages to
> authenticated users is not helping anybody.
>
> Cheers.
> Tai.
So what would be the decision on this issue? Would Django make good guys'
life harder while nothing changes for bad guys?
> Hello.
>
> I've recently reported a bug[1] in django but got advice to discuss it
> here on django-developers first.
>
> When a user having is_staff=False provides correct username and password
> to admin login page, he gets a message "Please enter a correct username
> and password. Note that both fields are case-sensitive." This message is
> wrong, because username and password are correct. Proper message should
> be something like "You do not have permissions to enter admin area."
>
> I want to emphasize once more that when username/password combination is
> wrong, message should be about wrong credentials. But when
> username/password combination is correct, message should be about
> permissions.
>
> Russellm opposed that idea saying: "This isn't a good idea, because it
> can be used by an attacker to identify admin accounts. This would be a
> leak of potentially sensitive information, narrowing the scope for any
> attack."
>
> I consider that point not valid for following reasons:
>
> * If attacker has no access to any login or password, he will still see
> "wrong password" message.
> * If attacker has access to login and password of one user, it won't
> help him to know that this user is not an admin.
> * If attacker knows all logins and passwords, proposed change won't make
> attack any easier: attacker will just try them one after another.
>
> That's why I think that proposed change doesn't weaken security and
> should be implemented.
>
> I'm strongly in favor of this change, because my mind was blown off when
> during debug I could login to a site with my credentials, but not to
> admin section. I've lost some time looking for a bug in my code until I
> checked is_staff flag.
>
> 1: http://code.djangoproject.com/ticket/15567