django-password-reset icon indicating copy to clipboard operation
django-password-reset copied to clipboard

Published 20 hours ago verified publisher icon brutasse

URL exposes base64 encoded email address

Open firstcloudconsulting opened this issue 5 years ago • 0 comments

If you go to /password/recover/ and enter a valid username, it redirects to /password/recover//. If you enter an invalid username then it redirects to /password/recover/IiI/, which decodes to an empty string.

This is insecure because it allows a third-party to test for username validity (and obtain previously unknown email addresses) by attempting to reset the passwords. It should not in anyway expose:

  1. whether a username/email address is valid or not, or
  2. return an email address for a valid username when the email address was not known previously.

firstcloudconsulting avatar Dec 11 '19 16:12 firstcloudconsulting