#15567 closed Uncategorized (wontfix)
Wrong error message when user having is_staff=False tries to login to admin
| Reported by: | arty | Owned by: | nobody |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Steps to reproduce:
- Create a user with is_staff=False
- Logout and go to /admin/
- Try to log in using that user's credentials
Error message would say: "Please enter a correct username and password. Note that both fields are case-sensitive."
This message is wrong, because username and password are correct. Proper message should be something like "You do not have permissions to enter admin area."
Change History (5)
comment:1 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 13 years ago
| Resolution: | wontfix |
|---|---|
| Status: | closed → reopened |
Point "because it can be used by an attacker to identify admin accounts" is not valid imho. I ask to change message only when login and password are correct, so that the only reason to deny authorization is is_staff=False.
- If attacker has access to login and password of one user, it won't help him to know that this user is not an admin.
- If attacker has no access to any login or password, he will still see "wrong password" message.
- If attacker knows all logins and passwords, proposed change won't make attack any easier: attacker will just try them one after another.
Proposed change doesn't weaken security. Please reconsider.
comment:3 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
Please don't reopen a ticket that has been closed wontfix. If you want to advocate for this change, start a thread on django-developers.
comment:4 by , 13 years ago
Sorry for reopening.
I've started a thread there http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef
comment:5 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Severity: | → Normal |
| Type: | → Uncategorized |
| UI/UX: | unset |
For the record:
After another discussion on django-developers here:
http://groups.google.com/group/django-developers/browse_thread/thread/c070dcd878a75a2b
I created a new ticket & patch in order to make the error message more clear while not giving away any more information: see ticket #16837
This isn't a good idea, because it can be used by an attacker to identify admin accounts. This would be a leak of potentially sensitive information, narrowing the scope for any attack.
Also, the message isn't, strictly speaking, wrong: It isn't a valid username and password -- for accessing the admin interface.