Code

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#14612 closed (fixed)

Password reset page leaks user count

Reported by: PaulM Owned by: nobody
Component: contrib.auth Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.

To reproduce, enable admin, add a user, and import the urlconf from contrib.auth.urls. Visit the reset url with a request like this:

    http://localhost:8000/reset/1-2-3/

Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.

While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.

Attachments (0)

Change History (5)

comment:1 Changed 3 years ago by schinckel

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

As an aside: it's likely that since this appears to be based on the PK of the user, deleting a user would mean a 404 on the relevant reset page.

So, it doesn't actually show the number of users that have registered, but it is possible to find out the PKs of all of the users.

comment:2 Changed 3 years ago by lukeplant

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 3 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

(In [14456]) Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

comment:4 Changed 3 years ago by lukeplant

(In [14458]) [1.2.X] Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

Backport of [14456] from trunk.

comment:5 Changed 3 years ago by jacob

  • milestone 1.3 deleted

Milestone 1.3 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.