[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#727678: wiki.debian.org: Small security related glitch in user registration / login process



Package: wiki.debian.org
Verion: current
Severity: normal


Maybe I missed something, but I think I found a small security 
related glitch in the wiki.debian.org registration process.

It seems currently possible to
	(a) confirm the existance of a wiki.debian.org account
	(b) reveal its linked email address

REMARK:
	(a) This might be always possible as you can simply try visiting:
		https://wiki.debian.org/SomePerson
	    ? - Did not try to see what happens if one deletes his own Homepage.
	(b) This should really be a small security glitch as there is the "General option" on the users "Preferences" page:
		"Publish my email (not my wiki homepage) in author info"

Here is what I did:
	* Click on "Login"
	* Click on "Forgot your password"
	* Enter username, email
	* You get: "If this account exists an email was sent."

So far so good, but:

	* Click on "Login"
	* Click on "you can create one now"
	* Enter a username you want to know if it exists
	* Enter any email adress and any password
	* Click "Create Profile"
	* You get: "This user name already belongs to somebody else. If this is a new account and you need another verification link, try sending another one."

So this tells you that the account exists.

	* Click on "try sending another one" (works even if "User account has already been verified!")
	* You get: "Verification message re-sent to knuth@posern.org

And this tells you it's linked email address.

Tormen.


Reply to: