fair enough, just making sure its a feature and not a bug ;)
FT On Fri, May 23, 2008 at 1:50 AM, Franklin PIAT <[EMAIL PROTECTED]> wrote: > Hello, > > On Fri, 2008-05-23 at 00:35 -0400, Folk Theory wrote: > > hi, > > on the debian wiki at wiki.debian.org > > when attempting to login with a fake username you get a different > > error message than when attempting to login with the right username > > but the wrong password. this can clearly be used to reveal existing > > user names, which is a security concern > > The list of accounts is available by reviewing the pages contributions > history already (read [1]). > > Account enumeration is sometime considered as a security issue, but keep > in mind that it's very common, on the Internet, to use public > information as login name : for instance email address is usually used > as pop3/webmail account name, the same apply for forums, wikis, etc. > > Franklin > > > [1] http://wiki.debian.org/DebianWiki/Privacy > >
