Password reset page leaks user count
|Reported by:||PaulM||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.
To reproduce, enable admin, add a user, and import the urlconf from contrib.auth.urls. Visit the reset url with a request like this:
Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.
While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.
Change History (5)
comment:1 Changed 4 years ago by schinckel
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 4 years ago by lukeplant
- Resolution set to fixed
- Status changed from new to closed