Password reset page leaks user count
|Reported by:||Paul McMillan||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.
To reproduce, enable admin, add a user, and import the urlconf from
contrib.auth.urls. Visit the reset url with a request like this:
Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.
While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.