[MGNLPUR-168] PUR is not OWASP compliant because it's informing about the status of an account. Created: 23/Jun/16  Updated: 30/Jan/23  Resolved: 30/Jan/23

Status: Closed
Project: Magnolia Public User Registration
Component/s: registration
Affects Version/s: 2.5.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jordie Diepeveen Assignee: Unassigned
Resolution: Outdated Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Team: AdminX

 Description   

We are integrating the PUR module in a "simple" website with a registration form.
During the integration and test round of the registration process we found some security--related results.

PasswordProcessor#internalProcess() is returning "user not exist" when the user does not exists.
TokenPasswordProcessor#internalProcess() is returning information like "user not exist",

According to the OWASP Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet:
Authentication and Error Messages
Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

Authentication Responses
An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

A better response message will be something like: "Incorrect username or password"



 Comments   
Comment by Matt Rajkovic [ 30/Jan/23 ]

Very old ticket. Closing.

Generated at Mon Feb 12 06:43:44 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.