Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The existence of a weblate account is guessable (CVE-2017-5537) #1317

Closed
jelly opened this issue Jan 9, 2017 · 1 comment
Closed

The existence of a weblate account is guessable (CVE-2017-5537) #1317

jelly opened this issue Jan 9, 2017 · 1 comment
Assignees
@nijel
Labels
bug Something is broken.
Milestone
2.11

Comments

@jelly
Copy link

jelly commented Jan 9, 2017

Steps to reproduce

  1. Login to weblate with a valid email, but wrong password

Actual behaviour

Weblate displays: "User with this email address was not found."

Expected behaviour

Weblate displays: "Invalid password or username / email address"

Displaying that a user with this email address is not found, makes it possible to do user enumeration to figure out if an account exists. Since dumps of password / email address are widely available and password re-use is a thing, displaying if an account is on the server is a valid thread.

The login form also does not seem to implement any rate-limiting which makes it easy to bruteforce.

Server configuration

Standard.
@nijel
Copy link
Member

nijel commented Jan 17, 2017

This happens on password reset only, not on login form. Indeed this is information leak...

@nijel nijel added this to the 2.11 milestone Jan 17, 2017
@nijel nijel added the bug Something is broken. label Jan 17, 2017
@nijel nijel closed this as completed in abe0d2a Jan 17, 2017
@nijel nijel changed the title The existence of a weblate account is guessable The existence of a weblate account is guessable (CVE-2017-5537) Jan 20, 2017
@nijel nijel self-assigned this Jan 20, 2017
nijel added a commit that referenced this issue Jan 20, 2017
@nijel
Do not show validation error on password reset
46e7e58 
This can leak information whether account exists or not.

Fixes #1317

Signed-off-by: Michal Čihař <michal@cihar.com>
@nijel nijel mentioned this issue Jan 20, 2017
Closed
@marcperrin marcperrin mentioned this issue Apr 12, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nijel nijel

Labels
bug Something is broken.
Projects
None yet
Milestone
2.11
Development

No branches or pull requests
2 participants
@jelly @nijel