Hi, thanks for your quick responses! Flavio, Jan and Florian, it only "gives away information" when an attacker guesses both the username and the password right.
But if he can guess those right, he could already access the users information using the normal login! So giving this message does not change the danger. On the other hand, it would prevent lots of confusion. But we are repeating arguments here, so could you please read: http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef before responding? Thanks! Wim On 13 sep, 19:23, Flávio Amieiro <flavioamie...@gmail.com> wrote: > On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] > > <cal.leem...@simplicitymedialtd.co.uk> wrote: > > +1, if the user/pass is entered, that user is entitled so know what its own > > permissions are. > > The error should give "You have insufficient access to this page" or > > something like that. > > The thing is: if someone does a brute force attack on '/admin/' and > gets this message back, they know there's a user with that > login/password in the system. Since brute force attacks using common > login/password pairs in this kinds of urls is so common, I think this > exposes your user more than necessary. > > -1 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
