brustj / tracmor

Automatically exported from code.google.com/p/tracmor
GNU General Public License v2.0
0 stars 0 forks source link

Possible to determine valid users from login prompt #70

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
Case 1:
1. Browse to login page of tracmor installation
2. Type in blahblah for username and password

Case 2:
1. Browse to login page of tracmor installation
2. Type in admin (or any valid user) for username and some random pass

When you enter a valid username you will notice the "Invalid username or 
password." error will be placed underneath the password. When you enter an 
invalid username the "Invalid username or password." message will be placed 
underneath the username.

This can lead to brute force attacks to determine username (and then 
password).

What version of the product are you using? On what operating system?
Tracmor 0.1.0 on ubuntu linux

Please provide any additional information below.

Possible fix: Line numbers 78 and 83 of login.php:
Old line:
$this->txtUsername->Warning = $errorMessage;
New Line:
$this->txtPassword->Warning = $errorMessage;

With this modification the error "Invalid username or password." will 
always be displayed below the password.

Original issue reported on code.google.com by jimdiojr on 11 Jun 2009 at 7:42

GoogleCodeExporter commented 8 years ago
Thanks for reporting this.  Issue is confirmed and we will address asap.

Original comment by jsincl...@gmail.com on 16 Jun 2009 at 6:53

GoogleCodeExporter commented 8 years ago

Original comment by jsincl...@gmail.com on 16 Jun 2009 at 6:54

GoogleCodeExporter commented 8 years ago
Fixed at revision #785.

Original comment by kovserg@gmail.com on 25 Jul 2011 at 8:21