Author: MediaWiki
Description:
By default, the messages displayed to a user when failing a login specify what was wrong with the provided credentials. If there is no such user, it says so; if the user is correct but the password is wrong, it says so. This poses a serious security risk, as hackers can use this information to determine what usernames exist and then try to brute-force the password.
Version: unspecified
Severity: minor