Re: Security problem on debian wiki
On Fri, 2008-05-23 at 00:35 -0400, Folk Theory wrote:
> on the debian wiki at wiki.debian.org
> when attempting to login with a fake username you get a different
> error message than when attempting to login with the right username
> but the wrong password. this can clearly be used to reveal existing
> user names, which is a security concern
The list of accounts is available by reviewing the pages contributions
history already (read ).
Account enumeration is sometime considered as a security issue, but keep
in mind that it's very common, on the Internet, to use public
information as login name : for instance email address is usually used
as pop3/webmail account name, the same apply for forums, wikis, etc.