Username enumeration vulnerability via login & password reset screens
Bug #1203924 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Won't Fix
|
Low
|
Unassigned |
Bug Description
A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site.
The Mahara password reset page is vulnerable to this. You can simply go in to https:/
summary: |
- Bruteforce user enumeration vuln in password reset screen + Bruteforce username/email enumeration vuln in password reset screen |
Changed in mahara: | |
milestone: | 1.8rc1 → 1.8.0 |
Changed in mahara: | |
importance: | Medium → Low |
Changed in mahara: | |
milestone: | 1.8.0 → 1.8.1 |
Changed in mahara: | |
milestone: | 1.8.1 → 1.8.2 |
Changed in mahara: | |
assignee: | nobody → Leo Xiong (hello-w) |
status: | Triaged → In Progress |
no longer affects: | mahara/1.9 |
no longer affects: | mahara/1.8 |
Changed in mahara: | |
milestone: | 15.04.0 → 15.04.1 |
Changed in mahara: | |
milestone: | 15.04.1 → 15.10.0 |
no longer affects: | mahara/1.10 |
To post a comment you must log in.
I'm considering this one a relatively low priority because:
1. It's bruteforce user enumeration, which means you already have to have some idea of which ones are present. /bugs.launchpad .net/mahara/ +bug/1158625
2. There's already a much more direct user enumeration attack available in Mahara: https:/
3. Because Mahara is a social network, usernames are not particularly secret to begin with.