Project

General

Profile

Bug #23854

new gui logon displays usernames as red or green - is this secure?

Added by Beyond Buxton over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
Lola Yang
Category:
GUI (new)
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

While trying out the new gui at logon ("Demo our upcoming UI!"), I noticed that the username box change color from blue to either green or red depending on what username I put in. I don't know if this is an intended feature or not, but I wonder if this gives away information to a potential attacker?

I say this because if I put in a random name: batman, mary.poppins, nebuchadnezzar, ... the username box will stay green, allowing me to put in a password and click the "Sign In" button. Which of course doesn't work, because none of those accounts exist on the box. Which is fine. But, if I put in the name of a non-built-in-user that I know won't be able to logon (re: https://bugs.freenas.org/issues/23853), the username box appears as red.

Ok, sure, the account can't logon, but an attacker may now have knowledge of a username on the system which can potentially be exploited by other means.

Maybe this is intended, and I'm just missing the point, but if not, perhaps that can change?

Associated revisions

Revision 6f4bba77 (diff)
Added by Lola Yang over 3 years ago

Done: removed minlength validator Ticket: #23854

History

#1 Updated by Lola Yang over 3 years ago

  • Status changed from Unscreened to Resolved

#2 Updated by Dru Lavigne almost 3 years ago

  • Category set to GUI (new)
  • Target version set to Master - FreeNAS Nightlies

Also available in: Atom PDF