Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-3618

XWiki login should not differentiate between invalid user and invalid password

    XMLWordPrintable

Details

    • security password

    Description

      If a user enters an invalid username, or an invalid password, XWiki informs them that they've either entered a "wrong user name" or "wrong password". This is a security vulnerability, because it gives a potential attacker valuable information about what constitutes valid credentials. Rather, in both cases, XWiki should respond with "wrong user name or password".

      This is especially worrying if you have XWiki connected to an underlying authentication system, because XWiki will reveal information about that system which can then be used to compromise other services using that system.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-2261 Don't give password hints

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              dbarowy Daniel Barowy
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: