Ticket #1515 (closed defect: fixed)
Security issue, login reveals whether a username is valid
|Reported by:||pgentoo||Owned by:||rats|
|Priority:||major||Milestone:||ispCP ω 1.0 - RC7|
|Component:||Backend (Engine)||Version:||ispCP ω 1.0.0 - RC6|
|Severity:||Don't know||Keywords:||login, security, error message|
An invalid username, invalid password, or both... should both receive the same error message "Invalid username/password.". This is so we don't reveal to brute force hackers if a username is valid or not.
Right now, if you enter an invalid username, it just kicks you back to the login page with no error message. If you enter a valid username, but incorrect password, you get a message that says: "You entered an incorrect password." This reveals what usernames are valid, and which are not, which is a security issue.
So this bug is twofold.
- If you enter a invalid username, the user should see an error message, which they don't currently.
- If the user enters a invalid password, it should show the same error message as for an invalid username.
Optionally, it would be great if the error message was on a the actual login page, and not on a separate page. This is extra clicks for the user if they happen to mistype their password, which is annoying.