django-password-reset icon indicating copy to clipboard operation
django-password-reset copied to clipboard

Published 20 hours ago verified publisher icon brutasse

Account enumeration vulnerability

Open karma0 opened this issue 9 years ago • 1 comments

When filling in the username/email field, if the specified user doesn't exist, then it will respond with "Sorry, this user doesn't exist." allowing would-be attackers to discover usernames and email addresses within the system using brute-force methods.

Ideally, this would be an option that could be set, with the default being that it would respond the same way it responds when a user types in a correct username or email.

karma0 avatar Feb 03 '16 04:02 karma0

Work-around is as follows; put the overriding logic into your app's view.py file:

from django.core.urlresolvers import reverse
from django.core import signing
from password_reset.views import Recover

class RecoverView(Recover):
    def form_invalid(self, form):
        # We want to make believe that an invalid user/email is actually valid
        user = form.data['username_or_email']
        self.mail_signature = signing.dumps(user, salt=self.url_salt)
        return super(Recover, self).form_valid(form)

    def form_valid(self, form):
        # Overridden so as to not allow for enumeration of email via username
        self.user = form.cleaned_data['user']
        username_or_email = form.data['username_or_email']
        self.send_notification()
        self.mail_signature = signing.dumps(username_or_email,
                                            salt=self.url_salt)
        return super(Recover, self).form_valid(form)

You will also need to override the URL:

url(r'^recover/$', RecoverView.as_view(), name='password_reset_recover'),

_Explantation:_ Both, form_valid and form_invalid have to be overridden, because there is a second enumeration vulnerability in the form_valid function, where upon successful entry of a username that exists in the system will display a message stating that an email was sent to the the entered username's email address. By displaying the email address here, anyone can find a valid user and their email address by attempting password resets with usernames.

The changes made will make it so that the value entered on the reset form is the same value that generates the end URL and is the same value that gets displayed on the (success) results page, and this is what will get displayed whether the username or email is valid or not.

If you would like a pull request with these changes, just say the word.

karma0 avatar Feb 14 '16 22:02 karma0