View Issue Details [ Jump to Notes ]

[ Print ]

Project

Category

View Status

Date Submitted

Last Update

0013577

CDash

public

2012-10-06 06:55

2012-10-18 03:17

Reporter

Jonnycake

Assigned To

Julien Jomier

Priority

normal

Severity

minor

Reproducibility

always

Status

resolved

Resolution

fixed

Platform

OS Version

Product Version

Target Version

Fixed in Version

2.2

Summary

0013577: User Enumeration Vulnerability

Description

User enumeration would allow an attacker to discover emails in the database.

Steps To Reproduce

Input valid username/valid password: functions as expected.
Input valid username/invalid password: displays "Wrong username or password."
Input invalid username: displays "This user doesn't exist."

Additional Information

Quick fix, just change the text you display when an invalid username is input to that of a valid username/invalid password.

Tags

No tags attached.

Attached Files

Relationships

Notes
(0031256) Julien Jomier (manager) 2012-10-18 03:17	Thanks a lot for the report.

Issue History
Date Modified	Username	Field	Change
2012-10-06 06:55	Jonnycake	New Issue
2012-10-18 03:11	Julien Jomier	Assigned To	=> Julien Jomier
2012-10-18 03:11	Julien Jomier	Status	new => assigned
2012-10-18 03:17	Julien Jomier	Note Added: 0031256
2012-10-18 03:17	Julien Jomier	Status	assigned => resolved
2012-10-18 03:17	Julien Jomier	Fixed in Version	=> 2.2
2012-10-18 03:17	Julien Jomier	Resolution	open => fixed