Server side info disclosure/ Spamming inbox

[sulemanmalik003]

Good evening,

My name is suleman Malik and im security researcher. I have found a security vulnerability on https://www.python.org/accounts/password/reset/. Password reset is vulnerable to email flooding vuln. Image is attached with this report.

===Mitigation===
Use rate limit function or captcha in order to stop this kind of attack.

Here are two links that are disclosing server side information including server name version and operating system being used on python.org.

http://mail.python.org/
https://hg.python.org/

Looking forward!

Suleman Malik
InfoSec Researcher
www.sulemanmalik.com

[malemburg]

I think it's rather unlikely that someone will use this to mail bomb people, but a rate limit or captcha would be nice way to protect against automated attacks.

As always: patches are welcome (the site's source code is available in this repo).

Thanks.

[sulemanmalik003]

Thank you for your reply. Did you check the other links that are disclosing the server side information including the version and OS.

[malemburg]

On 04.01.2017 16:57, sulemanmalik003 wrote: Thank you for your reply. Did you check the other links that are disclosing the server side information including the version and OS.

Yes. Those are harmless.

[MarkMangoba]

@sulemanmalik003 I discussed this with the pythondotorg workgroup back when it was reported on IRC, sorry for not closing this - the issue was fixed. As @malemburg patches are welcome, and feel free to contribute.

[sulemanmalik003]

Great Thank you..