** Changed in: mahara/1.8 Milestone: 1.8.2 => 1.8.3 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924
Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 1.8 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp