[MAGNOLIA-3347] Security Improvement: User accounts are testable Created: 29/Oct/10  Updated: 23/Jan/13  Resolved: 02/Nov/10

Status: Closed
Project: Magnolia
Component/s: admininterface
Affects Version/s: None
Fix Version/s: 4.3.9, 4.4

Type: Improvement Priority: Major
Reporter: Martin Ruf Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 1h
Time Spent: Not Specified
Original Estimate: 1h

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

User accounts can be tested very easily, there are three (or more) different error messages when login fails:

  • user deactivated
  • wrong password
  • user does not exist
    Knowing valid user accounts can be used as a basis for brute force attacks, a generic error message should be shown ("login failed" or something like that).

Generated at Mon Feb 12 03:45:36 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.