Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#14612 closed (fixed)

Password reset page leaks user count

Reported by: Paul McMillan Owned by: nobody
Component: contrib.auth Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.

To reproduce, enable admin, add a user, and import the urlconf from contrib.auth.urls. Visit the reset url with a request like this:

    http://localhost:8000/reset/1-2-3/

Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.

While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.

Change History (5)

comment:1 Changed 6 years ago by Matthew Schinckel

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

As an aside: it's likely that since this appears to be based on the PK of the user, deleting a user would mean a 404 on the relevant reset page.

So, it doesn't actually show the number of users that have registered, but it is possible to find out the PKs of all of the users.

comment:2 Changed 6 years ago by Luke Plant

Triage Stage: UnreviewedAccepted

comment:3 Changed 6 years ago by Luke Plant

Resolution: fixed
Status: newclosed

(In [14456]) Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

comment:4 Changed 6 years ago by Luke Plant

(In [14458]) [1.2.X] Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

Backport of [14456] from trunk.

comment:5 Changed 5 years ago by Jacob

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top