Posted by EmTeedee on October 6, 2009 at 2:14pm
| Project: | Password reset |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Hi,
with the module installed it is easy to find out if a user name is valid, which can be problematic.
The attached patch fixes this.
Any user name is accepted and if the user exists and has a question set, it is displayed.
If the user name does not exist (or no question is set for the user), a checksum over the user name is calculated and a question from the pool is selected for display.
The checksum prevents different questions being displayed on successive tries (which would also indicate to the attacker that the user does not exist).
| Attachment | Size |
|---|---|
| password_reset-informationleak.diff | 2.64 KB |
Comments
#1
From my point of view the mentioned points are vital for a module like this.
* Reroled the patch, as it didn't apply form me.
* Replaced all strtolower() with drupal_strtolower() for the sake of UTF8
* Backported to D5, tested on both D5/D6
Attached are patches for D5/D6, please commit.
#2
Patch doesn't apply with -p0, you need to create a patch from the module root, not the drupal root.
Also, $chksum should be $checksum, per coding standard.
#3
Fixed in D6. For the time being, I'm not porting anything to D5.
Thanks :)
-K
#4
Automatically closed -- issue fixed for 2 weeks with no activity.