+1 for this fix. I don't think that security through obscurity is ever a good choice.
On Wed, Mar 9, 2011 at 9:42 AM, Sergiy Kuzmenko <s.kuzme...@gmail.com> wrote: > IMO, obscuring the reason for admin site access denial only confuses > the user. If the attacker has user credentials (and knows admin URL!) > the big job has already been done and verifying whether that account > is admin or not is trivial enough. There is no added security in > displaying wrong error message. I'd rather simply return 403 error in > this situation. > > Sergiy > > On Wed, Mar 9, 2011 at 8:18 AM, Yishai Beeri <yis...@platonix.com> wrote: >> +1 on this. Messages should not give inaccurate information. >> >> I think the current behavior is also eventually detrimental to security. In >> a real life setting this leads to superfluous password resets and helpdesk >> queries - all leading to worse password choices by the common user, besides >> the wasted time and effort. >> >> Obviously, the new message should only be shown if the usernamd and password >> are matched correctly. >> >> Yishai >> >> >> >> On Wed, 09 Mar 2011 10:39:53 +0200, artemy tregubenko <m...@arty.name> wrote: >> >>> Hello. >>> >>> I've recently reported a bug[1] in django but got advice to discuss it >>> here on django-developers first. >>> >>> When a user having is_staff=False provides correct username and password >>> to admin login page, he gets a message "Please enter a correct username and >>> password. Note that both fields are case-sensitive." This message is wrong, >>> because username and password are correct. Proper message should be >>> something like "You do not have permissions to enter admin area." >>> >>> I want to emphasize once more that when username/password combination is >>> wrong, message should be about wrong credentials. But when >>> username/password combination is correct, message should be about >>> permissions. >>> >>> Russellm opposed that idea saying: "This isn't a good idea, because it can >>> be used by an attacker to identify admin accounts. This would be a leak of >>> potentially sensitive information, narrowing the scope for any attack." >>> >>> I consider that point not valid for following reasons: >>> >>> * If attacker has no access to any login or password, he will still see >>> "wrong password" message. >>> * If attacker has access to login and password of one user, it won't help >>> him to know that this user is not an admin. >>> * If attacker knows all logins and passwords, proposed change won't make >>> attack any easier: attacker will just try them one after another. >>> >>> That's why I think that proposed change doesn't weaken security and should >>> be implemented. >>> >>> I'm strongly in favor of this change, because my mind was blown off when >>> during debug I could login to a site with my credentials, but not to admin >>> section. I've lost some time looking for a bug in my code until I checked >>> is_staff flag. >>> >>> 1: http://code.djangoproject.com/ticket/15567 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
