Information Leakage

[GoogleCodeExporter]

Several areas of the Login System can be weakened or compromised by
information leakage.

1. User ID and Passwords can never be revealed. This is handled properly by
the Login System but must be communicated to the implementer of the Login
System.

2. Files released for public use must have debug messages removed.

3. Error messages must not reveal authentication credentials, architecture
information, nor differ based on information submitted during
authentication, for example, the system will not say the password is
invalid, but simply say the credentials are invalid.

Original issue reported on code.google.com by rdivilb...@gmail.com on 16 Apr 2010 at 6:25

[GoogleCodeExporter]

Mostly a documentation issue. lg_debug = false in all alpha code but can be set 
to
true if needed for troubleshooting.

Almost all PHP is debug code. Little ASP is debug code.

Original comment by rdivilb...@gmail.com on 20 Apr 2010 at 6:18

[GoogleCodeExporter]

Both ASP and PHP code is in debug release. Will remove debug at final release.

Original comment by rdivilb...@gmail.com on 22 May 2010 at 4:57

• Changed state: Deferred
• Added labels: Milestone-Release1.0
• Removed labels: Milestone-Alpha