Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-3618

XWiki login should not differentiate between invalid user and invalid password

    XMLWordPrintable

    Details

    • keywords:
      security password
    • Similar issues:

      Description

      If a user enters an invalid username, or an invalid password, XWiki informs them that they've either entered a "wrong user name" or "wrong password". This is a security vulnerability, because it gives a potential attacker valuable information about what constitutes valid credentials. Rather, in both cases, XWiki should respond with "wrong user name or password".

      This is especially worrying if you have XWiki connected to an underlying authentication system, because XWiki will reveal information about that system which can then be used to compromise other services using that system.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sdumitriu Sergiu Dumitriu
              Reporter:
              dbarowy Daniel Barowy
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: