Module leaks information about existence of user
EmTeedee - October 6, 2009 - 14:14
| Project: | Password reset |
| Version: | 6.x-1.1-beta2 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Hi,
with the module installed it is easy to find out if a user name is valid, which can be problematic.
The attached patch fixes this.
Any user name is accepted and if the user exists and has a question set, it is displayed.
If the user name does not exist (or no question is set for the user), a checksum over the user name is calculated and a question from the pool is selected for display.
The checksum prevents different questions being displayed on successive tries (which would also indicate to the attacker that the user does not exist).
| Attachment | Size |
|---|---|
| password_reset-informationleak.diff | 2.64 KB |