Re: [Django] #31505: Document possible email address enumeration in PasswordResetView.
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):
* has_patch: 0 => 1
* version: master => 3.0
Comment:
[https://github.com/django/django/pull/12780 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
Replying to [ticket:31505 Mohammad Almazroa]:
> Remediation:
> Set up a random sleep time when the email does not exists. The response
time of correct and incorrect email should be the same.
This is not a remediation, you can average that out with a few requests…
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mohammad Almazroa):
Replying to [comment:5 Florian Apolloner]:
> Replying to [ticket:31505 Mohammad Almazroa]:
> > Remediation:
> > Set up a random sleep time when the email does not exists. The
response time of correct and incorrect email should be the same.
>
> This is not a remediation, you can average that out with a few requests…
A random sleep time should be within the range that the
"PasswordResetView" is taking to send an email. This way it is not clear
what response time that means valid or not valid email.
That is just an idea, if you have something better I think we should do
it.
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mohammad Almazroa):
Replying to [comment:1 felixxm]:
> First of all, please note that security issues
[https://docs.djangoproject.com/en/stable/internals/security/#reporting-
security-issues should be privately sent] to secu...@djangoproject.com
and never on public issue trackers.
>
> Your analysis is correct, however `PasswordResetView` sends an email
which always take an extra time. We don't know how much it takes so adding
a fixed delay is impossible and for a random sleep time you'd just need a
bit of statistic to figure it out.
>
> I think we could document this potential account existence leak in
[https://docs.djangoproject.com/en/3.0/topics/auth/default/#django.contrib.auth.views.PasswordResetView
PasswordResetView].
Really sorry that I reported it publicly here.
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
Replying to [comment:6 Mohammad Almazroa]:
> A random sleep time should be within the range that the
"PasswordResetView" is taking to send an email. This way it is not clear
what response time that means valid or not valid email.
But you don't know how long sending emails takes, so it will just be a
relatively good guess at best which does not help since it can be
determined via enough requests…
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution:
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mohammad Almazroa):
Replying to [comment:8 Florian Apolloner]:
> Replying to [comment:6 Mohammad Almazroa]:
> > A random sleep time should be within the range that the
"PasswordResetView" is taking to send an email. This way it is not clear
what response time that means valid or not valid email.
>
> But you don't know how long sending emails takes, so it will just be a
relatively good guess at best which does not help since it can be
determined via enough requests…
You are totally correct.
And I just saw your comment in github for using "a 3rd party package that
allows to send emails asynchronously", I didn't thought of that at all.
Keep up the good work <3
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Cleanup/optimization |
Component: Documentation | Version: 3.0
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"ca769c8c13df46b8153a0a4ab3d748e88d6e26f9" ca769c8]:
{{{
#!CommitTicketReference repository=""
revision="ca769c8c13df46b8153a0a4ab3d748e88d6e26f9"
Fixed #31505 -- Doc'd possible email addresses enumeration in
PasswordResetView.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution: fixed
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"04bc3577eddef6bef52d440f4f53877bcae264c5" 04bc3577]:
{{{
#!CommitTicketReference repository=""
revision="04bc3577eddef6bef52d440f4f53877bcae264c5"
[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in
PasswordResetView.
Backport of ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution: fixed
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mohammad Almazroa):
Question: why not fix PasswordResetView? documenting it is just not
enough.
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution: fixed
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
Replying to [comment:12 Mohammad Almazroa]:
> Question: why not fix PasswordResetView? documenting it is just not
enough.
Well, suggestions on fixes are welcome… Unless we want to change the reset
view to enter the username (in which case we'd leak usernames instead), I
do not see any obvious way on how to fix this.
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:13>
Django
-------------------------------------+-------------------------------------
Reporter: Mohammad Almazroa | Owner: felixxm
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 3.0
Severity: Normal | Resolution: fixed
Keywords: User Enumeration | Triage Stage: Accepted
Security Bug |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mohammad Almazroa):
Replying to [comment:13 Florian Apolloner]:
> Replying to [comment:12 Mohammad Almazroa]:
> > Question: why not fix PasswordResetView? documenting it is just not
enough.
>
> Well, suggestions on fixes are welcome… Unless we want to change the
reset view to enter the username (in which case we'd leak usernames
instead), I do not see any obvious way on how to fix this.
"you can use a 3rd party package that allows to send emails
asynchronously" .. this is your solution and it's valid. why don't you
make the reset view sends emails asynchronously?
--
Ticket URL: <https://code.djangoproject.com/ticket/31505#comment:14>