[Mediawiki-l] Login errors
Steve VanSlyck
s.vanslyck at spamcop.net
Sat Dec 1 21:13:04 UTC 2007
Also check out /index.php/Special:Allmessages
Emufarmers Sangly wrote:
> On Dec 1, 2007 8:31 AM, Keir <keirlawson at gmail.com> wrote:
>
>
>> Hi, I was wondering if there was any way to change the login error message
>> when a user tries to log in with a correct username but incorrect password
>> to be the same as the error given when they try to log in with an
>> incorrect
>> password? I dont want a potential attacker to be able to know if a
>> username
>> is valid or not.
>>
>
> As a matter of general security practice I would agree with you and suggest
> that this be changed in the core MediaWiki code, but remember that MediaWiki
> comes with a publicly-viewable user list, plus user pages that will reveal
> whether or not a user exists. Unless you've got your wiki on complete
> lockdown, changing the failed login message would only give you a false
> sense of security and annoy your users.
>
> At any rate, take a look at MediaWiki:Nosuchuser, MediaWiki:Nosuchusershort,
> MediaWiki:Wrongpassword, and MediaWiki:Wrongpasswordempty.
>
>
>
More information about the MediaWiki-l
mailing list