Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#14612 closed (fixed)

Password reset page leaks user count

Reported by: Paul McMillan Owned by: nobody
Component: contrib.auth Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.

To reproduce, enable admin, add a user, and import the urlconf from contrib.auth.urls. Visit the reset url with a request like this:

    http://localhost:8000/reset/1-2-3/

Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.

While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.

Change History (5)

comment:1 by Matthew Schinckel, 14 years ago

As an aside: it's likely that since this appears to be based on the PK of the user, deleting a user would mean a 404 on the relevant reset page.

So, it doesn't actually show the number of users that have registered, but it is possible to find out the PKs of all of the users.

comment:2 by Luke Plant, 14 years ago

Triage Stage: UnreviewedAccepted

comment:3 by Luke Plant, 14 years ago

Resolution: fixed
Status: newclosed

(In [14456]) Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

comment:4 by Luke Plant, 14 years ago

(In [14458]) [1.2.X] Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

Backport of [14456] from trunk.

comment:5 by Jacob, 13 years ago

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top