On 04-12-2020 15:55, Adriano dos Santos Fernandes wrote:
On 04/12/2020 11:48, Mark Rotteveel wrote:
This behaviour is a security issue, it leaks existence or
non-existence of the user.
Is it a security issue in any website that if I try to create an account
and it says the user already exist?
Technically, yes. But for such a website this is the trade-off between
wanting new people to register and disclosing this information. Given
only administrators can create users in Firebird, the disclosure about
(non-)existence of a user should only happen when trying to create an
account, not at a login attempt.
In my opinion, Firebird should also enter phase 2 of SRP authentication
if the user does not exist.
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
