SAP Knowledge Base Article - Preview

3305578 - User locked error message for password-locked users confirms that the user does exist.

Symptom

Upon attempting to access the NetWeaver AS ABAP environment, if an unsuccessful logon attempt is performed for a user locked due to incorrect logon attempts (using user name and password), a message will be displayed which makes explicit reference to the fact that the user is locked.

This poses a perceived threat as there is confirmation that the user does indeed exist.


Read more...

Environment

NetWeaver AS ABAP for the below Basis releases and above:

700 All SPs;
710 All SPs;                     
711 All SPs;                   
701 All SPs;                
702 All SPs;                  
730 All SPs;                 
720 All SPs;                
731 until SP 07;                               
740 until SP 02.

Product

SAP NetWeaver Application Server for ABAP all versions

Keywords

brute, force, attack, login, parameters, password, locked, disclose, risk, security, concern , KBA , BC-SEC-LGN , Authentication , Product Enhancement

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.