This repository has been archived by the owner on Dec 1, 2023. It is now read-only.
Security Fix for User Enumeration - huntr.dev #954
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/mufeedvh has fixed the User Enumeration vulnerability 馃敤. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #935
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/pagekit/1/README.md
User Comments:
馃搳 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-packagist-pagekit
鈿欙笍 Description *
pagekit
is vulnerable to Username Enumeration as the response message on the Reset Password page when an email exists or vise-versa differs making it easy for an attacker to assume an account exists or not.馃捇 Technical Description *
An attacker can know if a certain email/user exists or not just by giving in a victim's email address.
If the email exists, the request responds with:
If it doesn't, it responds with:
The function resides in the
/pagekit/app/system/modules/user/src/Controller/ResetPasswordController.php
:As you can see, the response comes from these exceptions:
and
Just changing these strings are enough to fix the issue. To not enable the attacker to enumerate users, we can change the strings to:
馃悰 Proof of Concept (PoC) *
The PoC is nicely detailed in this issue: #935
As you can see it's just a string response, so changing them are enough to fix the issue.
馃敟 Proof of Fix (PoF) *
Changed the two strings to
If this email exists, you will receive an email with the reset instructions.
making it unable for an attacker to identify account existence.馃憤 User Acceptance Testing (UAT)
Just a string change, no breaking changes are introduced.