Package: wiki.debian.org
Verion: current
Severity: normal
Maybe I missed something, but I think I found a small security
related glitch in the wiki.debian.org registration process.
It seems currently possible to
(a) confirm the existance of a wiki.debian.org account
(b) reveal its linked email address
REMARK:
(a) This might be always possible as you can simply try visiting:
https://wiki.debian.org/SomePerson
? - Did not try to see what happens if one deletes his own Homepage.
(b) This should really be a small security glitch as there is the
"General option" on the users "Preferences" page:
"Publish my email (not my wiki homepage) in author info"
Here is what I did:
* Click on "Login"
* Click on "Forgot your password"
* Enter username, email
* You get: "If this account exists an email was sent."
So far so good, but:
* Click on "Login"
* Click on "you can create one now"
* Enter a username you want to know if it exists
* Enter any email adress and any password
* Click "Create Profile"
* You get: "This user name already belongs to somebody else. If this is
a new account and you need another verification link, try sending another one."
So this tells you that the account exists.
* Click on "try sending another one" (works even if "User account has
already been verified!")
* You get: "Verification message re-sent to [email protected]
And this tells you it's linked email address.
Tormen.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
