Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server side info disclosure/ Spamming inbox #1041

Closed
sulemanmalik003 opened this issue Dec 21, 2016 · 5 comments
Closed

Server side info disclosure/ Spamming inbox #1041

sulemanmalik003 opened this issue Dec 21, 2016 · 5 comments
Assignees

Comments

@sulemanmalik003
Copy link

@sulemanmalik003 sulemanmalik003 commented Dec 21, 2016

Good evening,

My name is suleman Malik and im security researcher. I have found a security vulnerability on https://www.python.org/accounts/password/reset/. Password reset is vulnerable to email flooding vuln. Image is attached with this report.

===Mitigation===
Use rate limit function or captcha in order to stop this kind of attack.

Here are two links that are disclosing server side information including server name version and operating system being used on python.org.

http://mail.python.org/
https://hg.python.org/

Looking forward!

Suleman Malik
InfoSec Researcher
www.sulemanmalik.com
python

@MarkMangoba MarkMangoba self-assigned this Dec 23, 2016
@malemburg
Copy link
Member

@malemburg malemburg commented Jan 4, 2017

I think it's rather unlikely that someone will use this to mail bomb people, but a rate limit or captcha would be nice way to protect against automated attacks.

As always: patches are welcome (the site's source code is available in this repo).

Thanks.

@sulemanmalik003
Copy link
Author

@sulemanmalik003 sulemanmalik003 commented Jan 4, 2017

Thank you for your reply. Did you check the other links that are disclosing the server side information including the version and OS.

@malemburg
Copy link
Member

@malemburg malemburg commented Jan 4, 2017

@MarkMangoba
Copy link
Contributor

@MarkMangoba MarkMangoba commented Jan 4, 2017

@sulemanmalik003 I discussed this with the pythondotorg workgroup back when it was reported on IRC, sorry for not closing this - the issue was fixed. As @malemburg patches are welcome, and feel free to contribute.

@MarkMangoba MarkMangoba closed this Jan 4, 2017
@sulemanmalik003
Copy link
Author

@sulemanmalik003 sulemanmalik003 commented Jan 4, 2017

Great Thank you..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants