Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account enumeration vulnerability #42

Open
karma0 opened this issue Feb 3, 2016 · 1 comment
Open

Account enumeration vulnerability #42

karma0 opened this issue Feb 3, 2016 · 1 comment

Comments

@karma0
Copy link

karma0 commented Feb 3, 2016

When filling in the username/email field, if the specified user doesn't exist, then it will respond with "Sorry, this user doesn't exist." allowing would-be attackers to discover usernames and email addresses within the system using brute-force methods.

Ideally, this would be an option that could be set, with the default being that it would respond the same way it responds when a user types in a correct username or email.
@karma0
Copy link
Author

karma0 commented Feb 14, 2016

Work-around is as follows; put the overriding logic into your app's view.py file:

from django.core.urlresolvers import reverse
from django.core import signing
from password_reset.views import Recover

class RecoverView(Recover):
    def form_invalid(self, form):
        # We want to make believe that an invalid user/email is actually valid
        user = form.data['username_or_email']
        self.mail_signature = signing.dumps(user, salt=self.url_salt)
        return super(Recover, self).form_valid(form)

    def form_valid(self, form):
        # Overridden so as to not allow for enumeration of email via username
        self.user = form.cleaned_data['user']
        username_or_email = form.data['username_or_email']
        self.send_notification()
        self.mail_signature = signing.dumps(username_or_email,
                                            salt=self.url_salt)
        return super(Recover, self).form_valid(form)

You will also need to override the URL:

url(r'^recover/$', RecoverView.as_view(), name='password_reset_recover'),

_Explantation:_
Both, form_valid and form_invalid have to be overridden, because there is a second enumeration vulnerability in the form_valid function, where upon successful entry of a username that exists in the system will display a message stating that an email was sent to the the entered username's email address. By displaying the email address here, anyone can find a valid user and their email address by attempting password resets with usernames.

The changes made will make it so that the value entered on the reset form is the same value that generates the end URL and is the same value that gets displayed on the (success) results page, and this is what will get displayed whether the username or email is valid or not.

If you would like a pull request with these changes, just say the word.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@karma0