mahara-contributors team mailing list archive

Thread
Date

[Bug 1203924] Re: Bruteforce user enumeration vuln in password reset screen

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1203924@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2013 01:42:39 -0000
Reply-to: Bug 1203924 <1203924@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm considering this one a relatively low priority because:

1. It's bruteforce user enumeration, which means you already have to have some idea of which ones are present.
2. There's already a much more direct user enumeration attack available in Mahara: https://bugs.launchpad.net/mahara/+bug/1158625
3. Because Mahara is a social network, usernames are not particularly secret to begin with.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1203924

Title:
  Bruteforce user enumeration vuln in password reset screen

Status in Mahara ePortfolio:
  Triaged

Bug description:
  A user enumeration vulnerability means that an attacker can get a list
  of legal usernames and/or email addresses from the site. A
  "bruteforce" user enumeration vulnerability means that if they have a
  list of potential usernames and/or email addresses, they can verify
  whether or not each of them is registered with an account in the site.

  The Mahara password reset page is vulnerable to this. You can simply
  go in to https://mahara.org/forgotpass.php and enter username or email
  after username or email, and get a friendly response indicating
  whether each one is registered with a user in the site or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions

References

[Bug 1203924] [NEW] Bruteforce user enumeration vuln in password reset screen
From: Aaron Wells, 2013-07-23