|
Description |
|
The administration login panel can be used to identify existing users and administrators through the displayed error messages. Quite often, Web Applications do not take into account that verbose messages could lead to user enumeration using the error message provided by the application. During this assessment, the team has identified that these error messages can be used to automate the discovery of users but, since requests are limited by the server, such automation cannot perform a high number of requests per second from the same public IP address. Taking into account all of the above, it has been considered that this vulnerability entails a Medium risk. Expected Results : Responses from the server should contain a generic error message, independently of the user existing in the database or existing and also being an administrator. Steps: Login into EAM with invalid credentials Actual Results : Unable to login user [user ID]. Please make certain all credentials are entered correctly and the user is not locked. Expected results : Generic message without revealing the user information should be displayed. |