Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#7723 closed (fixed)

DoS possible with django.contrib.auth.views.password_reset

Reported by: mafr Owned by: Luke Plant
Component: contrib.auth Version: master
Severity: Keywords:
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The password_reset view creates a new password overwriting the existing one. Any user who knows your email address can trigger this process as often as he likes. The effect is that you can't log into your account until you changed your password.

I think the existing password should remain valid even if a reset email has been triggered. The mail should contain a token that can be used to change the password; even if multiple password reset mails are sent, any token should be usable for password reset in a certain time window.

Change History (8)

comment:1 Changed 8 years ago by Marc Garcia

milestone: post-1.0
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedDesign decision needed

+1 on it

comment:2 Changed 8 years ago by Julien Phalip

Note that a discussion has been going on on this topic at the dev-list [1]. Those wanting to write a patch should have a look there, there's plenty of good ideas for implementation.

[1] http://groups.google.com/group/django-developers/browse_thread/thread/d478dd9079bc448c/030e5cc02fbd2522?lnk=gst&q=salt#030e5cc02fbd2522

comment:3 Changed 8 years ago by Gary Wilson

milestone: post-1.01.0

Sounds like a bug to me, which makes it 1.0 material.

comment:4 Changed 8 years ago by Luke Plant

Owner: set to Luke Plant

comment:5 Changed 8 years ago by Luke Plant

Resolution: fixed
Status: newclosed

(In [8162]) Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.

comment:6 Changed 8 years ago by omat@…

wouldn't it be better not to use the plain user id in the url?

i don't see a security problem there but just a slight bad taste for revealing user ids.

comment:7 in reply to:  6 Changed 8 years ago by Luke Plant

Replying to omat@gezgin.com:

wouldn't it be better not to use the plain user id in the url?

i don't see a security problem there but just a slight bad taste for revealing user ids.

Well:

  • It's in base36, so it's not obviously anything at all. Even if they do know that it is a user id, what could they do with that information?
  • The only person who ever sees that URL is the user themselves -- it is never public.
  • The main problem with exposing ids is if you want to migrate your data to a different system in which the primary keys are different, because you are then stuck with supporting old URLs. But in this case, the URLs are intrinsically 'use once'.
  • What is your alternative? (I'm not saying there aren't any, just that they have more problems)

comment:8 Changed 5 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top