Return generic auth error to prevent user enumeration attacks

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface

https://nginxproxymanager.com

MIT License

23.32k stars 2.7k forks source link

Return generic auth error to prevent user enumeration attacks #4179

Closed tametsi closed 2 days ago

tametsi commented 3 days ago

When authentication fails, the generic error message "Invalid email or password" is returned. Thereby, no information about the existence of the user is given.

This prevents user enumeration attacks because the response for both scenarios is identical.

Fixes #3873

niri81 commented 3 days ago

Since this fixes CWE-204: Observable Response Discrepancy, I look forward to this being merged relatively quick as it is only a minor change in the code base directly influencing the security of NPM

nginxproxymanagerci[bot] commented 3 days ago

Docker Image for build 1 is available on DockerHub as nginxproxymanager/nginx-proxy-manager-dev:pr-4179

Note: ensure you backup your NPM instance before testing this image! Especially if there are database changes Note: this is a different docker image namespace than the official image