← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #12806

[Bug 1203924] Re: Bruteforce user enumeration vuln in password reset screen

  Thread PreviousDate PreviousThread Next 
As for solutions, here are a few possible ones:

A. Add a limit to the number of password reset attempts (or at least
unsuccessful password reset attempts) that can come from a particular IP
address every 5 minutes. (Much like the limit on login attempts per 5
minutes)

B. Add a Captcha mechanism to the password reset page. This can't be the
only solution, however, because it's not acceptable for some
institutions' accessability standards.

C. Provide exactly the same message to the user on a successful or
unsuccessful password reset attempt. Something like "If you entered your
username or password correctly, we will send you a password reset
email." I don't like this approach because it's not very user friendly,
however.

I'm in favor of option A. I'm willing to accept patches for options B
and C, but they'd have to be optional, able to be disabled by a config
setting.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1203924

Title:
  Bruteforce user enumeration vuln in password reset screen

Status in Mahara ePortfolio:
  Triaged

Bug description:
  A user enumeration vulnerability means that an attacker can get a list
  of legal usernames and/or email addresses from the site. A
  "bruteforce" user enumeration vulnerability means that if they have a
  list of potential usernames and/or email addresses, they can verify
  whether or not each of them is registered with an account in the site.

  The Mahara password reset page is vulnerable to this. You can simply
  go in to https://mahara.org/forgotpass.php and enter username or email
  after username or email, and get a friendly response indicating
  whether each one is registered with a user in the site or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions

References

  Thread PreviousDate PreviousThread Next