Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15567 closed Uncategorized (wontfix)

Wrong error message when user having is_staff=False tries to login to admin

Reported by: arty Owned by: nobody
Component: Uncategorized Version: 1.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Steps to reproduce:

  • Create a user with is_staff=False
  • Logout and go to /admin/
  • Try to log in using that user's credentials

Error message would say: "Please enter a correct username and password. Note that both fields are case-sensitive."

This message is wrong, because username and password are correct. Proper message should be something like "You do not have permissions to enter admin area."

Change History (5)

comment:1 Changed 5 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

This isn't a good idea, because it can be used by an attacker to identify admin accounts. This would be a leak of potentially sensitive information, narrowing the scope for any attack.

Also, the message isn't, strictly speaking, wrong: It isn't a valid username and password -- for accessing the admin interface.

comment:2 Changed 5 years ago by arty

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Point "because it can be used by an attacker to identify admin accounts" is not valid imho. I ask to change message only when login and password are correct, so that the only reason to deny authorization is is_staff=False.

  • If attacker has access to login and password of one user, it won't help him to know that this user is not an admin.
  • If attacker has no access to any login or password, he will still see "wrong password" message.
  • If attacker knows all logins and passwords, proposed change won't make attack any easier: attacker will just try them one after another.

Proposed change doesn't weaken security. Please reconsider.

comment:3 Changed 5 years ago by russellm

  • Resolution set to wontfix
  • Status changed from reopened to closed

Please don't reopen a ticket that has been closed wontfix. If you want to advocate for this change, start a thread on django-developers.

comment:5 Changed 5 years ago by Wim Feijen <wim@…>

  • Easy pickings unset
  • Severity set to Normal
  • Type set to Uncategorized
  • UI/UX unset

For the record:
After another discussion on django-developers here:

I created a new ticket & patch in order to make the error message more clear while not giving away any more information: see ticket #16837

Note: See TracTickets for help on using tickets.
Back to Top