Forum Replies Created
-
Posts
-
I understand that we can do any customizations that we want to, so that it shows the messages we want, but when the plugin gets updated, all of our changes will be erased. Then we are back to where we are now. I am not asking you to rewrite the plugin and upset MOST of your users. All you need to do is create a setting to customize the failed login messages. One setting for the wrong username message and one setting for the wrong password message. Default the messages to what they currently are. Then those who are more security aware can take the needed measures and you don’t run the risk of upsetting MOST of your users.
If you think for one second that people don’t use login systems like this to break in to sites, then you would be very mistaken. I know of people personally who do, which is why I am bringing this to your attention. People and companies use this plugin to protect whatever they protect. Some to make money from it and others not. MOST of your users will not have enough knowledge to know this is a security flaw and thus don’t care. But when your customers start losing money because of your plugin and it’s lack of security, they will start going elsewhere and find a more secure plugin. Anybody who has been in the IT field long enough will know this. To be honest with you, the fact that some of your customers are having to argue with you about this is SAD.
No, it is not in that file. The term “User Not Found.” is located in the following files. This and the error message “Password Empty or Invalid.” should be updated with a more generic login failure message so that an attacker does not know if one or both are incorrect.
wp-content\plugins\simple-membership\classes\class.bAuth.php
wp-content\plugins\simple-membership\classes\class.bFrontRegistration.php
wp-content\plugins\simple-membership\classes\class.swpm-auth.php
wp-content\plugins\simple-membership\languages\swpm-ca_ES.po
wp-content\plugins\simple-membership\languages\swpm-da_DA.po
wp-content\plugins\simple-membership\languages\swpm-da_DK.po
wp-content\plugins\simple-membership\languages\swpm-de_DE.po
wp-content\plugins\simple-membership\languages\swpm-el_GR.po
wp-content\plugins\simple-membership\languages\swpm-el_GR.po
wp-content\plugins\simple-membership\languages\swpm-es_ES.po
wp-content\plugins\simple-membership\languages\swpm-fr_FR.po
wp-content\plugins\simple-membership\languages\swpm-he_IL.po
wp-content\plugins\simple-membership\languages\swpm-id_ID.po
wp-content\plugins\simple-membership\languages\swpm-ja_JA.po
wp-content\plugins\simple-membership\languages\swpm-lt_LT.po
wp-content\plugins\simple-membership\languages\swpm-lv_LV.po
wp-content\plugins\simple-membership\languages\swpm-lv_LV.po
wp-content\plugins\simple-membership\languages\swpm-mk_MK.po
wp-content\plugins\simple-membership\languages\swpm-nl_BE.po
wp-content\plugins\simple-membership\languages\swpm-nl_NL.po
wp-content\plugins\simple-membership\languages\swpm-pl_PL.po
wp-content\plugins\simple-membership\languages\swpm-pt_BR.po
wp-content\plugins\simple-membership\languages\swpm-pt_PT.po
wp-content\plugins\simple-membership\languages\swpm-ro_RO.po
wp-content\plugins\simple-membership\languages\swpm-ru_RU.po
wp-content\plugins\simple-membership\languages\swpm-sr_RS.po
wp-content\plugins\simple-membership\languages\swpm-sv_SE.po
wp-content\plugins\simple-membership\languages\swpm-tr_TR.po
wp-content\plugins\simple-membership\languages\swpm-zh_CN.po
wp-content\plugins\simple-membership\languages\swpm-zh_Hans.po
wp-content\plugins\simple-membership\languages\swpm.potThanks
Here I am putting in a fake username and password.
username and passwordHere is what I get when I click submit.
responseThis shows the username was incorrect.
When I type in a correct username and a fake password, it says “Password Empty or Invalid.” This gives a brute force attacker plenty of information to use in their attack.
