Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.4.8
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests.
Steps to Reproduce
- Request a password reset email
- Open the password reset mail and click the link to open your browser
- Intercept the POST request of the actual password entry saving (ie; Enter password twice and save, that is the request to capture.)
- Replay that post after change the email in the request URI
- It will validate whether that account does not exist or if it does
Expected Results
It should not be possible to determine valid usernames by replaying requests.
Actual Results
By replaying the mentioned request it is possible to confirm valid usernames.
Workaround
A suggestion was made 'The main problem is that the username is checked before the reset-token. It should be the other way around, so if you do not have a valid token you always get the same error message.'
Attachments
Issue Links
- follows
-
VULN-633020 Loading...
- links to