Hi, I was wondering if there was any way to change the login error message when a user tries to log in with a correct username but incorrect password to be the same as the error given when they try to log in with an incorrect password? I dont want a potential attacker to be able to know if a username is valid or not.
Cheers
Keir
On Dec 1, 2007 8:31 AM, Keir keirlawson@gmail.com wrote:
Hi, I was wondering if there was any way to change the login error message when a user tries to log in with a correct username but incorrect password to be the same as the error given when they try to log in with an incorrect password? I dont want a potential attacker to be able to know if a username is valid or not.
As a matter of general security practice I would agree with you and suggest that this be changed in the core MediaWiki code, but remember that MediaWiki comes with a publicly-viewable user list, plus user pages that will reveal whether or not a user exists. Unless you've got your wiki on complete lockdown, changing the failed login message would only give you a false sense of security and annoy your users.
At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort, MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
You also need to change MediaWiki:Nouserspecified
However: I myself think this is a really bad idea. I remember more than once failing login on one of the several Wikis I have an account for, unsuccessfully cycling through my usual passwords until I finally *read* the error message and noticed I had used the wrong username. You will probably impact legitimate users more than dissuading attackers. Security through obscurity is not a sound plan. If you need additional security against cracking attacks, use a CAPTCHA.
YMMV, Boris
On 1-Dec-07, at 9:56 AM, Emufarmers Sangly wrote:
On Dec 1, 2007 8:31 AM, Keir keirlawson@gmail.com wrote:
Hi, I was wondering if there was any way to change the login error message when a user tries to log in with a correct username but incorrect password to be the same as the error given when they try to log in with an incorrect password? I dont want a potential attacker to be able to know if a username is valid or not.
As a matter of general security practice I would agree with you and suggest that this be changed in the core MediaWiki code, but remember that MediaWiki comes with a publicly-viewable user list, plus user pages that will reveal whether or not a user exists. Unless you've got your wiki on complete lockdown, changing the failed login message would only give you a false sense of security and annoy your users.
At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort, MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
-- Arr, ye emus, http://emufarmers.com _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Also check out /index.php/Special:Allmessages
Emufarmers Sangly wrote:
On Dec 1, 2007 8:31 AM, Keir keirlawson@gmail.com wrote:
Hi, I was wondering if there was any way to change the login error message when a user tries to log in with a correct username but incorrect password to be the same as the error given when they try to log in with an incorrect password? I dont want a potential attacker to be able to know if a username is valid or not.
As a matter of general security practice I would agree with you and suggest that this be changed in the core MediaWiki code, but remember that MediaWiki comes with a publicly-viewable user list, plus user pages that will reveal whether or not a user exists. Unless you've got your wiki on complete lockdown, changing the failed login message would only give you a false sense of security and annoy your users.
At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort, MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
Hello,
Anybody has an idea about this error? Is it my code or SMW error?
Fatal error: Call to undefined function mb_strpos() in /var/www/wiki/testwiki/extensions/SemanticMediaWiki/includes/SMW_InlineQueries.php on line 628
Thank you for any quick help.
Nelson
Computer Sciences Corporation Registered Office: 2100 East Grand Avenue, El Segundo California 90245, USA Registered in USA No: C-489-59
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
You need to install the Multibyte String Functions for PHP. http://ca3.php.net/mbstring
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)
Nelson A Li wrote:
Hello,
Anybody has an idea about this error? Is it my code or SMW error?
Fatal error: Call to undefined function mb_strpos() in /var/www/wiki/testwiki/extensions/SemanticMediaWiki/includes/SMW_InlineQueries.php on line 628
Thank you for any quick help.
Nelson
Computer Sciences Corporation Registered Office: 2100 East Grand Avenue, El Segundo California 90245, USA Registered in USA No: C-489-59
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Dan,
Looking back to my setup note, it seems that I did do "--enable-mbstring. Nevertheless, the procedure I followed to install php does the /configure before make and make install. Do I need to re-install php or there is a way to enbale (or add) the Multibyte String Functions for PHP after the installation? I looked into /etc/php.ini and /etc/httpd/conf.d/php.conf but did not get a clear idea how to add (or enable) the mbstr stuff without re-installing php. I am actually afraid that there may be complications if re-installing php. Could you help me as helping a dummy? Thank you.
Nelson
Computer Sciences Corporation Registered Office: 2100 East Grand Avenue, El Segundo California 90245, USA Registered in USA No: C-489-59
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DanTMan <dan_the_man@telu s.net> To Sent by: MediaWiki announcements and site mediawiki-l-bounc admin list es@lists.wikimedi mediawiki-l@lists.wikimedia.org a.org cc
Subject 12/02/2007 08:31 Re: [Mediawiki-l] Is it SMW? PM
Please respond to MediaWiki announcements and site admin list <mediawiki-l@list s.wikimedia.org>
You need to install the Multibyte String Functions for PHP. http://ca3.php.net/mbstring
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)
Nelson A Li wrote:
Hello,
Anybody has an idea about this error? Is it my code or SMW error?
Fatal error: Call to undefined function mb_strpos() in
/var/www/wiki/testwiki/extensions/SemanticMediaWiki/includes/SMW_InlineQueries.php
on line 628
Thank you for any quick help.
Nelson
Computer Sciences Corporation Registered Office: 2100 East Grand Avenue, El Segundo California 90245,
USA
Registered in USA No: C-489-59
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org