Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#15567 closed Uncategorized (wontfix)

Wrong error message when user having is_staff=False tries to login to admin

Reported by: arty Owned by: nobody
Component: Uncategorized Version: 1.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Steps to reproduce:

  • Create a user with is_staff=False
  • Logout and go to /admin/
  • Try to log in using that user's credentials

Error message would say: "Please enter a correct username and password. Note that both fields are case-sensitive."

This message is wrong, because username and password are correct. Proper message should be something like "You do not have permissions to enter admin area."

Change History (5)

comment:1 Changed 8 years ago by Russell Keith-Magee

Resolution: wontfix
Status: newclosed

This isn't a good idea, because it can be used by an attacker to identify admin accounts. This would be a leak of potentially sensitive information, narrowing the scope for any attack.

Also, the message isn't, strictly speaking, wrong: It isn't a valid username and password -- for accessing the admin interface.

comment:2 Changed 8 years ago by arty

Resolution: wontfix
Status: closedreopened

Point "because it can be used by an attacker to identify admin accounts" is not valid imho. I ask to change message only when login and password are correct, so that the only reason to deny authorization is is_staff=False.

  • If attacker has access to login and password of one user, it won't help him to know that this user is not an admin.
  • If attacker has no access to any login or password, he will still see "wrong password" message.
  • If attacker knows all logins and passwords, proposed change won't make attack any easier: attacker will just try them one after another.

Proposed change doesn't weaken security. Please reconsider.

comment:3 Changed 8 years ago by Russell Keith-Magee

Resolution: wontfix
Status: reopenedclosed

Please don't reopen a ticket that has been closed wontfix. If you want to advocate for this change, start a thread on django-developers.

comment:5 Changed 8 years ago by Wim Feijen <wim@…>

Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

For the record:
After another discussion on django-developers here:

I created a new ticket & patch in order to make the error message more clear while not giving away any more information: see ticket #16837

Note: See TracTickets for help on using tickets.
Back to Top