U4-11500 - Exceptions when logging in show incorrect login message

Created by Murray Roke 03 Jul 2018, 22:18:20 Updated by Murray Roke 31 Jul 2018, 07:48:47

Tags: Up For Grabs

When you login, if for any reason an exception occurs. eg: DB offline, config error, etc... I would expect to get an error message. However I get the incorrect login message.

This wastes time when troubleshooting.

Comments

Sebastiaan Janssen 10 Jul 2018, 09:36:13

While this is definitely a pain in the behind, it is also very much a security problem. If you reveal, for example, that the username was not found then a hacker could start enumerating usernames to find a valid one, before starting to try to enumarate possible passwords against the username.

So what I would suggest is: we leave the generic message in place, if debug is set to false in web.config. Your live sites should not run in debug mode, so we'll never see specific messages.

When, however debug is set to true, we could bubble up the underlying error message and show what is actually going on to (presumably) the developer working on the site.

Care to give a go at sending a PR for this functionality? I've set this to Up for grabs for you or someone else who comes along to give it a go!


Murray Roke 31 Jul 2018, 07:48:47

Your suggestion would solve most issues, but even in live would it not be ok (perhaps?) to surface just 2 kinds of errors? eg an exception (server error) vs any other kind of login failure.?


Priority: Normal

Type: Feature (request)

State: Open

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.10.4

Due in version:

Sprint:

Story Points:

Cycle: