[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security problem on debian wiki


On Fri, 2008-05-23 at 00:35 -0400, Folk Theory wrote:
> hi,
> on the debian wiki at wiki.debian.org
> when attempting to login with a fake username you get a different
> error message than when attempting to login with the right username
> but the wrong password. this can clearly be used to reveal existing
> user names, which is a security concern

The list of accounts is available by reviewing the pages contributions
history already (read [1]).

Account enumeration is sometime considered as a security issue, but keep
in mind that it's very common, on the Internet, to use public
information as login name : for instance email address is usually used
as pop3/webmail account name, the same apply for forums, wikis, etc.


[1] http://wiki.debian.org/DebianWiki/Privacy

Reply to: