Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#27200] - Dutch language pack has different language strings for No User & Invalid Password

?
avatar pe7er
pe7er
2 Dec 2019

tl;dr
In international language packs the language strings JGLOBAL_AUTH_NO_USER and JGLOBAL_AUTH_INVALID_PASS can be different. This is a small security issue because it makes it possible to perform a user enumeration attack.

Steps to reproduce the issue

Install Joomla 3.9.13 with Dutch language pack (nl_NL).
Enable the Dutch (nl-NL) language pack
Try to login with faulty username + right password, Answer: JGLOBAL_AUTH_NO_USER
Try to login with right username + faulty password, Answer: JGLOBAL_AUTH_INVALID_PASS

Expected result

From safety point of view I would expect the same error message.
In English (en-GB) the messages are exactly the same
JGLOBAL_AUTH_NO_USER="Username and password do not match or you do not have an account yet."
JGLOBAL_AUTH_INVALID_PASS="Username and password do not match or you do not have an account yet."

Actual result

I would expect the same in the Dutch language.
However, in the Dutch language pack (nl_NL) the strings differ:
JGLOBAL_AUTH_NO_USER="De combinatie van gebruikersnaam en wachtwoord is niet correct of u hebt nog geen account"
JGLOBAL_AUTH_INVALID_PASS="De combinatie van gebruikersnaam en wachtwoord is niet correct of u heeft nog geen account**.**"

Additional comments

IMHO all language packs should be checked for differences between JGLOBAL_AUTH_NO_USER and JGLOBAL_AUTH_INVALID_PASS. For safety they should be the same.

avatar pe7er pe7er - open - 2 Dec 2019
avatar joomla-cms-bot joomla-cms-bot - change - 2 Dec 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 2 Dec 2019
avatar infograf768
infograf768 - comment - 2 Dec 2019

Which one is correct in Dutch?
Asking because it is useless to have exactly the same strings/value and it would be simple to replace constant 2 by constant 1 in code wherever it is used.

avatar pe7er
pe7er - comment - 2 Dec 2019

I would change both JGLOBAL_AUTH_NO_USER + JGLOBAL_AUTH_INVALID_PASS to:

De combinatie van gebruikersnaam en wachtwoord is niet correct of u heeft nog geen account.

avatar brianteeman
brianteeman - comment - 2 Dec 2019

Asking because it is useless to have exactly the same strings/value and it would be simple to replace constant 2 by constant 1 in code wherever it is used.

But not to remove the strings from the ini

avatar infograf768
infograf768 - comment - 3 Dec 2019

@pe7er
I suggest we modify this in 4.0 to use a single string.
In the mean while, please contact the Dutch TT and ask him to correct the pack.
https://community.joomla.org/translations/joomla-3-translations.html#nl-nl

avatar pe7er
pe7er - comment - 3 Dec 2019

@infograf768 I'll do so. Thanks!

avatar MartijnMaandag
MartijnMaandag - comment - 3 Dec 2019

Released a new Dutch languagepack. Will be available soon in the backend.

avatar brianteeman
brianteeman - comment - 3 Dec 2019

Thank you

avatar alikon alikon - change - 3 Dec 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-12-03 09:33:35
Closed_By alikon
avatar joomla-cms-bot joomla-cms-bot - change - 3 Dec 2019
Closed_Date 2019-12-03 09:33:35 2019-12-03 09:33:36
Closed_By alikon joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 3 Dec 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 3 Dec 2019

Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/27200

avatar alikon
alikon - comment - 3 Dec 2019

closed as we have a new Dutch languagepack

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27200.

avatar pe7er
pe7er - comment - 3 Dec 2019

Thanks @MartijnMaandag !

Add a Comment

Login with GitHub to post a comment