Re: Wrong error message when user having is_staff=False tries to login to admin

Thu, 24 Mar 2011 04:50:29 -0700

I have just read whole thread again and I'm happy to see there are many people supporting my proposal. They have written thorough objections to criticism.
So what would be the decision on this issue? Would Django make good guys' life harder while nothing changes for bad guys? 



Hello.


I've recently reported a bug[1] in django but got advice to discuss it  
here on django-developers first.



When a user having is_staff=False provides correct username and password  
to admin login page, he gets a message  "Please enter a correct username  
and password. Note that both fields are case-sensitive." This message is  
wrong, because username and password are correct. Proper message should  
be something like "You do not have permissions to enter admin area."



I want to emphasize once more that when username/password combination is  
wrong, message should be about wrong credentials. But  when  
username/password combination is correct, message should be about  
permissions.



Russellm opposed that idea saying: "This isn't a good idea, because it  
can be used by an attacker to identify admin accounts. This would be a  
leak of potentially sensitive information, narrowing the scope for any  
attack."


I consider that point not valid for following reasons:


* If attacker has no access to any login or password, he will still see  
"wrong password" message.
* If attacker has access to login and password of one user, it won't  
help him to know that this user is not an admin.
* If attacker knows all logins and passwords, proposed change won't make  
attack any easier: attacker will just try them one after another.



That's why I think that proposed change doesn't weaken security and  
should be implemented.



I'm strongly in favor of this change, because my mind was blown off when  
during debug I could login to a site with my credentials, but not to  
admin section. I've lost some time looking for a bug in my code until I  
checked is_staff flag.


1: http://code.djangoproject.com/ticket/15567




--
arty ( http://arty.name )

--
You received this message because you are subscribed to the Google Groups "Django 
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.
























					Reply via email to