Wrong error message when user having is_staff=False tries to login to admin

Wed, 09 Mar 2011 04:30:52 -0800 

Hello.
I've recently reported a bug[1] in django but got advice to discuss it here on django-developers first. 


When a user having is_staff=False provides correct username and password  
to admin login page, he gets a message  "Please enter a correct username  
and password. Note that both fields are case-sensitive." This message is  
wrong, because username and password are correct. Proper message should be  
something like "You do not have permissions to enter admin area."



I want to emphasize once more that when username/password combination is  
wrong, message should be about wrong credentials. But  when  
username/password combination is correct, message should be about  
permissions.



Russellm opposed that idea saying: "This isn't a good idea, because it can  
be used by an attacker to identify admin accounts. This would be a leak of  
potentially sensitive information, narrowing the scope for any attack."


I consider that point not valid for following reasons:


* If attacker has no access to any login or password, he will still see  
"wrong password" message.
* If attacker has access to login and password of one user, it won't help  
him to know that this user is not an admin.
* If attacker knows all logins and passwords, proposed change won't make  
attack any easier: attacker will just try them one after another.



That's why I think that proposed change doesn't weaken security and should  
be implemented.



I'm strongly in favor of this change, because my mind was blown off when  
during debug I could login to a site with my credentials, but not to admin  
section. I've lost some time looking for a bug in my code until I checked  
is_staff flag.


1: http://code.djangoproject.com/ticket/15567

--
arty ( http://arty.name )

--
You received this message because you are subscribed to the Google Groups "Django 
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.























					Reply via email to