You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Deepak Dixit (JIRA)" <ji...@apache.org> on 2018/08/08 06:00:00 UTC
[jira] [Commented] (OFBIZ-10507) LoginServices.userLogin: Respond
"fail" instead of "error" to avoid the (automatic service engine) logging
of a stack trace on missing/invalid credentials
[ https://issues.apache.org/jira/browse/OFBIZ-10507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16572708#comment-16572708 ]
Deepak Dixit commented on OFBIZ-10507:
--------------------------------------
The login page is prone to a user-enumeration attack, Error messages returned must not disclose too much valuable information for an attacker
Instead of returning descriptive error message it would be good if we return geneirc error message, and can log all the error message in as error log.
Like:
* User name and/or password incorrect
> LoginServices.userLogin: Respond "fail" instead of "error" to avoid the (automatic service engine) logging of a stack trace on missing/invalid credentials
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-10507
> URL: https://issues.apache.org/jira/browse/OFBIZ-10507
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Reporter: Benjamin Jugl
> Assignee: Benjamin Jugl
> Priority: Minor
> Attachments: OFBIZ-10507_org.apache.ofbiz.common.login.LoginServices.patch
>
>
> There are a lot of login-related entries in the logfile, that stem from user related errors (like no or wrong password, user not found and so on). To reduce this, the patch introduces a distinction between ERROR messages and FAIL messages in the Service-Result.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)