IMO, obscuring the reason for admin site access denial only confuses the user. If the attacker has user credentials (and knows admin URL!) the big job has already been done and verifying whether that account is admin or not is trivial enough. There is no added security in displaying wrong error message. I'd rather simply return 403 error in this situation.
Sergiy On Wed, Mar 9, 2011 at 8:18 AM, Yishai Beeri <yis...@platonix.com> wrote: > +1 on this. Messages should not give inaccurate information. > > I think the current behavior is also eventually detrimental to security. In > a real life setting this leads to superfluous password resets and helpdesk > queries - all leading to worse password choices by the common user, besides > the wasted time and effort. > > Obviously, the new message should only be shown if the usernamd and password > are matched correctly. > > Yishai > > > > On Wed, 09 Mar 2011 10:39:53 +0200, artemy tregubenko <m...@arty.name> wrote: > >> Hello. >> >> I've recently reported a bug[1] in django but got advice to discuss it >> here on django-developers first. >> >> When a user having is_staff=False provides correct username and password >> to admin login page, he gets a message "Please enter a correct username and >> password. Note that both fields are case-sensitive." This message is wrong, >> because username and password are correct. Proper message should be >> something like "You do not have permissions to enter admin area." >> >> I want to emphasize once more that when username/password combination is >> wrong, message should be about wrong credentials. But when >> username/password combination is correct, message should be about >> permissions. >> >> Russellm opposed that idea saying: "This isn't a good idea, because it can >> be used by an attacker to identify admin accounts. This would be a leak of >> potentially sensitive information, narrowing the scope for any attack." >> >> I consider that point not valid for following reasons: >> >> * If attacker has no access to any login or password, he will still see >> "wrong password" message. >> * If attacker has access to login and password of one user, it won't help >> him to know that this user is not an admin. >> * If attacker knows all logins and passwords, proposed change won't make >> attack any easier: attacker will just try them one after another. >> >> That's why I think that proposed change doesn't weaken security and should >> be implemented. >> >> I'm strongly in favor of this change, because my mind was blown off when >> during debug I could login to a site with my credentials, but not to admin >> section. I've lost some time looking for a bug in my code until I checked >> is_staff flag. >> >> 1: http://code.djangoproject.com/ticket/15567 > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
