View Issue Details

IDProjectCategoryView StatusLast Update
15311Bug reportsSecuritypublic2019-09-23 08:07
Reporterlameventanas Assigned To 
PrioritynoneSeveritytweak 
Status newResolutionopen 
Summary15311: Invalid user / Invalid password should have same error message
Description

When logging in to the admin interface, entering an invalid user vs incorrect password will yield different error messages.
A guy that checked the security of Limesurvey pointed out that this is a security issue.
Can the error message be changed to make it ambiguous?

Steps To Reproduce

Log into admin interface with invalid user, see error message.
Log into admin interface with valid user, but wrong password, see error message.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.14.8+180829
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionMySQL 5.6.44
Server OS (if known)
Webserver software & version (if known)
PHP Version7.3.7

Relationships

related to 15312 new Feature requests Shown more detailed information on login with debug > 0 (or 1) 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-09-20 10:12 lameventanas New Issue
2019-09-23 08:07 DenisChenu Relationship added related to 15312