Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3347

Security Improvement: User accounts are testable

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • 4.3.9, 4.4
    • None
    • admininterface
    • None

      User accounts can be tested very easily, there are three (or more) different error messages when login fails:

      • user deactivated
      • wrong password
      • user does not exist
        Knowing valid user accounts can be used as a basis for brute force attacks, a generic error message should be shown ("login failed" or something like that).

        Acceptance criteria

              ochytil Ondrej Chytil
              secaron Martin Ruf
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoD

                    Estimated:
                    Original Estimate - 1h
                    1h
                    Remaining:
                    Remaining Estimate - 1h
                    1h
                    Logged:
                    Time Spent - Not Specified
                    Not Specified