-
Bug
-
Resolution: Outdated
-
Major
-
None
-
2.5.2
-
None
We are integrating the PUR module in a "simple" website with a registration form.
During the integration and test round of the registration process we found some security--related results.
PasswordProcessor#internalProcess() is returning "user not exist" when the user does not exists.
TokenPasswordProcessor#internalProcess() is returning information like "user not exist",
According to the OWASP Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet:
Authentication and Error Messages
Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.
Authentication Responses
An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.
A better response message will be something like: "Incorrect username or password"