Why does GetErrorMessage return an "invalid password" when an invalid username?

Question

Why does GetErrorMessage return an "invalid password" when an invalid username?

GetErrorMessage (from CInternetException) gives me the following:

With the wrong ftp server name:
"ERROR! Server name or address could not be resolved"

With the wrong password:
ERROR! Password not allowed

With invalid username:
ERROR! Password not allowed <-----? No separate message for invalid username? Is this intended?

try { pConnect = sess->GetFtpConnection(host, userName, password, port, FALSE ); } catch (CInternetException* pEx) //incorrect user name displays incorrect password? { TCHAR sz[1024]; pEx->GetErrorMessage(sz, 1024); printf("ERROR! %s\n", sz); pEx->Delete(); }

+4

c ++ windows winapi wininet

TTT Jan 29 '10 at 23:52

source share

1 answer

nos · Accepted Answer · 2010-01-29T23:55:31+0000

Yes, it is intended. A typical FTP server will not distinguish between an invalid password and an invalid username. This is for security reasons, for example, attackers cannot redirect their path to discover valid usernames.

Why does GetErrorMessage return an "invalid password" when an invalid username?

More articles: