#14612 closed (fixed)
Password reset page leaks user count
| Reported by: | Paul McMillan | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.2 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
django.contrib.auth.views.password_reset_confirm() leaks information related to the number of registered users in the system.
To reproduce, enable admin, add a user, and import the urlconf from contrib.auth.urls. Visit the reset url with a request like this:
http://localhost:8000/reset/1-2-3/
Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.
While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.
Change History (5)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:4 by , 14 years ago
Note:
See TracTickets
for help on using tickets.
As an aside: it's likely that since this appears to be based on the PK of the user, deleting a user would mean a 404 on the relevant reset page.
So, it doesn't actually show the number of users that have registered, but it is possible to find out the PKs of all of the users.