[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ondřej Chytil updated MAGNOLIA-3347:
------------------------------------
Fix Version/s: 4.3.9
(was: 4.3.x)
> Security Improvement: User accounts are testable
> ------------------------------------------------
>
> Key: MAGNOLIA-3347
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3347
> Project: Magnolia
> Issue Type: Improvement
> Security Level: Public
> Components: admininterface
> Reporter: Martin Ruf
> Assignee: Ondřej Chytil
> Priority: Major
> Fix For: 4.3.9, 4.4
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> User accounts can be tested very easily, there are three (or more) different
> error messages when login fails:
> - user deactivated
> - wrong password
> - user does not exist
> Knowing valid user accounts can be used as a basis for brute force attacks, a
> generic error message should be shown ("login failed" or something like that).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
