← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #16368

[Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen

  Thread PreviousDate PreviousThread Next 
Leo is working on implementing scenario A, the limit on password reset
attempts per IP address in a given span of time.

We also conclude in an IRC discussion that it would be useful to have a
per-IP limit on *login* attempts as well. It's a slightly more subtle
case:

1. Username enumeration is not a concern with the login screen because
we print the same message whether you entered an invalid username or a
valid username and invalid password

2. And we also have an existing system that limits the number of
password attempts for each username within a short span of time.

3. HOWEVER, an attacker could do a dictionary attack: Try the five most
common passwords, on a large list of likely usernames.

So, to prevent attack #3, it would be good to have the per-IP timeout on
the login form as well as on the password reset form.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1203924

Title:
  Bruteforce username/email enumeration vuln in password reset screen

Status in Mahara ePortfolio:
  In Progress

Bug description:
  A user enumeration vulnerability means that an attacker can get a list
  of legal usernames and/or email addresses from the site. A
  "bruteforce" user enumeration vulnerability means that if they have a
  list of potential usernames and/or email addresses, they can verify
  whether or not each of them is registered with an account in the site.

  The Mahara password reset page is vulnerable to this. You can simply
  go in to https://mahara.org/forgotpass.php and enter username or email
  after username or email, and get a friendly response indicating
  whether each one is registered with a user in the site or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions

References

  Thread PreviousDate PreviousThread Next