FlashFXP Forums - View Single Post

Yil · 06-04-2008, 01:50 PM

Flow: The generic "bad password" reply is actually a security feature. If you could try random names and it would reply "bad IP/hostmask" then you know you guessed a valid account name. Deleted/expired accounts are a somewhat special case because they are technically unusable accounts at that point so leaking the name versus informing the user seemed like a good thing to make configurable. I support both options by how you setup the On[Deleted|Expired]Login events. Technically I should probably only show the deleted/expired message if you have it setup to do so AND the hostmask matches. I'll have to think about that one some more...

If people want it to return a "bad host/ip" error I can certainly make it an option you can enable, but like I said it will leak account names if someone was trying to scan the server.

06-04-2008, 01:50 PM
Yil Too much time... Join Date: May 2005 Posts: 1,194	Flow: The generic "bad password" reply is actually a security feature. If you could try random names and it would reply "bad IP/hostmask" then you know you guessed a valid account name. Deleted/expired accounts are a somewhat special case because they are technically unusable accounts at that point so leaking the name versus informing the user seemed like a good thing to make configurable. I support both options by how you setup the On[Deleted\|Expired]Login events. Technically I should probably only show the deleted/expired message if you have it setup to do so AND the hostmask matches. I'll have to think about that one some more... If people want it to return a "bad host/ip" error I can certainly make it an option you can enable, but like I said it will leak account names if someone was trying to scan the server.