Wrong error message on login if the user doesn't exist and WireCrypt is disabled #7723
Assignees
Comments
|
On 8/26/23 01:23, Dimitry Sibiryakov wrote:
Current snapshot of Firebird 5 returns isc_login_error if user does
not exists in security db and isc_login if it does exists but password
is wrong.
Two problems here:
1. It leaks security information about user existence.
2. Some client code explicitly expect isc_login to be returned.
Can't reproduce.
Correct logon:
# ./isql -user sysdba -pas masterkey localhost:employee -z
ISQL Version: LI-T5.0.0.1167-dev Firebird 5.0 Beta 2
Server version:
LI-T5.0.0.1167-dev Firebird 5.0 Beta 2
LI-T5.0.0.1167-dev Firebird 5.0 Beta 2/tcp (fbs3)/P18:C
LI-T5.0.0.1167-dev Firebird 5.0 Beta 2/tcp (fbs3)/P18:C
Database: localhost:employee, User: SYSDBA
SQL> ^D
Bad password:
# ./isql -user sysdba -pas qqq localhost:employee
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.
Use CONNECT or CREATE DATABASE to specify a database
SQL> ^D
Bad login:
# ./isql -user aasysdba -pas qqq localhost:employee
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.
Use CONNECT or CREATE DATABASE to specify a database
SQL> ^D
|
|
Try with |
|
On 8/28/23 12:49, Dimitry Sibiryakov wrote:
Try with |WireCrypt=Disabled|.
Yes, that really changed execution path. Add a ticket please.
|
|
I've updated this ticket. |
aafemt
changed the title
AlexPeshkoff
added a commit
that referenced
this issue
Aug 28, 2023
…nd WireCrypt is disabled (cherry picked from commit f049b6f)
mrotteveel
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If WireCrypt is disabled an attempt to attach with non-existing user returns isc_login_error instead of isc_login.
Two problems here:
The text was updated successfully, but these errors were encountered: