Re: Security problem on debian wiki

To: Folk Theory <folktheory@gmail.com>
Cc: debian-www@lists.debian.org
Subject: Re: Security problem on debian wiki
From: Franklin PIAT <fpiat@bigfoot.com>
Date: Fri, 23 May 2008 07:50:01 +0200
Message-id: <[🔎] 1211521801.5101.95.camel@solid.paris.klabs.be>
In-reply-to: <[🔎] a5fa7850805222135n46084e96na7cf8b9424fcb69a@mail.gmail.com>
References: <[🔎] a5fa7850805222135n46084e96na7cf8b9424fcb69a@mail.gmail.com>

Hello,

On Fri, 2008-05-23 at 00:35 -0400, Folk Theory wrote:
> hi,
> on the debian wiki at wiki.debian.org
> when attempting to login with a fake username you get a different
> error message than when attempting to login with the right username
> but the wrong password. this can clearly be used to reveal existing
> user names, which is a security concern

The list of accounts is available by reviewing the pages contributions
history already (read [1]).

Account enumeration is sometime considered as a security issue, but keep
in mind that it's very common, on the Internet, to use public
information as login name : for instance email address is usually used
as pop3/webmail account name, the same apply for forums, wikis, etc.

Franklin

[1] http://wiki.debian.org/DebianWiki/Privacy

Reply to:

Follow-Ups:
- Re: Security problem on debian wiki
  - From: "Folk Theory" <folktheory@gmail.com>

References:
- Security problem on debian wiki
  - From: "Folk Theory" <folktheory@gmail.com>

Prev by Date: Security problem on debian wiki
Next by Date: Re: Security problem on debian wiki
Previous by thread: Security problem on debian wiki
Next by thread: Re: Security problem on debian wiki
Index(es):
- Date
- Thread