[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
Have abandoned patch 3032 because it was overkill for us. ** Changed in: mahara Status: In Progress => Won't Fix ** Changed in: mahara Milestone: 15.10.0 => None ** Changed in: mahara Status: Won't Fix => Confirmed ** Changed in: mahara Assignee: Leo Xiong (leoxiong) => (unassigned) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara: Confirmed Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Milestone: 15.04.1 => 15.10.0 ** No longer affects: mahara/1.10 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara/1.10 Milestone: 1.10.3 => 1.10.4 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara/1.10 Milestone: 15.04.0 => 1.10.3 ** Changed in: mahara Milestone: 15.04.0 => 15.04.1 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara/1.10 Milestone: 1.10.0 => 1.11.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** No longer affects: mahara/1.8 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara/1.8 Milestone: 1.8.2 => 1.8.3 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 1.8 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Also affects: mahara/1.10 Importance: Undecided Status: New ** No longer affects: mahara/1.9 ** Changed in: mahara/1.10 Status: New => In Progress ** Changed in: mahara/1.10 Importance: Undecided => Low ** Changed in: mahara/1.10 Assignee: (unassigned) => Leo Xiong (leoxiong) ** Changed in: mahara/1.10 Milestone: None => 1.10.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 1.8 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara/1.9 Milestone: 1.9.0 => 1.10.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.8 series: In Progress Status in Mahara 1.9 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Also affects: mahara/1.8 Importance: Undecided Status: New ** Also affects: mahara/1.9 Importance: Low Assignee: Leo Xiong (leoxiong) Status: In Progress ** Changed in: mahara/1.8 Milestone: None => 1.8.2 ** Changed in: mahara/1.9 Milestone: 1.8.2 => 1.9.0 ** Changed in: mahara/1.8 Status: New => In Progress ** Changed in: mahara/1.8 Importance: Undecided => Low ** Changed in: mahara/1.8 Assignee: (unassigned) => Leo Xiong (leoxiong) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Status in Mahara 1.8 series: In Progress Status in Mahara 1.9 series: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
Leo is working on implementing scenario A, the limit on password reset attempts per IP address in a given span of time. We also conclude in an IRC discussion that it would be useful to have a per-IP limit on *login* attempts as well. It's a slightly more subtle case: 1. Username enumeration is not a concern with the login screen because we print the same message whether you entered an invalid username or a valid username and invalid password 2. And we also have an existing system that limits the number of password attempts for each username within a short span of time. 3. HOWEVER, an attacker could do a dictionary attack: Try the five most common passwords, on a large list of likely usernames. So, to prevent attack #3, it would be good to have the per-IP timeout on the login form as well as on the password reset form. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Assignee: (unassigned) => Leo Xiong (hello-w) ** Changed in: mahara Status: Triaged => In Progress -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: In Progress Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Milestone: 1.8.1 => 1.8.2 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Milestone: 1.8.0 => 1.8.1 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Importance: Medium => Low -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Changed in: mahara Milestone: 1.8rc1 => 1.8.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce username/email enumeration vuln in password reset screen
** Summary changed: - Bruteforce user enumeration vuln in password reset screen + Bruteforce username/email enumeration vuln in password reset screen -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce username/email enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
