Hello, On Fri, 2008-05-23 at 00:35 -0400, Folk Theory wrote: > hi, > on the debian wiki at wiki.debian.org > when attempting to login with a fake username you get a different > error message than when attempting to login with the right username > but the wrong password. this can clearly be used to reveal existing > user names, which is a security concern
The list of accounts is available by reviewing the pages contributions history already (read [1]). Account enumeration is sometime considered as a security issue, but keep in mind that it's very common, on the Internet, to use public information as login name : for instance email address is usually used as pop3/webmail account name, the same apply for forums, wikis, etc. Franklin [1] http://wiki.debian.org/DebianWiki/Privacy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
