Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does GetErrorMessage return "wrong password", when the user name is wrong?

GetErrorMessage (from CInternetException) gives me the following:

With the incorrect ftp server name:
"ERROR! The server name or address could not be resolved"

With the incorrect password:
ERROR! The password was not allowed

With the incorrect user name:
ERROR! The password was not allowed <-----? NO separate message for incorrect username? Is this intended?

try
{
   pConnect = sess->GetFtpConnection(host, userName, password, port, FALSE );
}

catch (CInternetException* pEx) //incorrect user name displays incorrect password?
{
      TCHAR sz[1024];
      pEx->GetErrorMessage(sz, 1024);
      printf("ERROR!  %s\n", sz);
      pEx->Delete();
}
like image 610
T.T.T. Avatar asked Dec 13 '22 00:12

T.T.T.


1 Answers

Yes that is intended. A typical FTP server will not distinguish between an invalid password and an invalid username. This is for security reasons, so e.g. attackers can't brute force their way to discover valid usernames.

like image 153
nos Avatar answered Dec 15 '22 12:12

nos