Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server side info disclosure/ Spamming inbox #1041

Closed
sulemanmalik003 opened this issue Dec 21, 2016 · 5 comments
Closed

Server side info disclosure/ Spamming inbox #1041

sulemanmalik003 opened this issue Dec 21, 2016 · 5 comments
Assignees

Comments

@sulemanmalik003
Copy link

sulemanmalik003 commented Dec 21, 2016

Good evening,

My name is suleman Malik and im security researcher. I have found a security vulnerability on https://www.python.org/accounts/password/reset/. Password reset is vulnerable to email flooding vuln. Image is attached with this report.

===Mitigation===
Use rate limit function or captcha in order to stop this kind of attack.

Here are two links that are disclosing server side information including server name version and operating system being used on python.org.

http://mail.python.org/
https://hg.python.org/

Looking forward!

Suleman Malik
InfoSec Researcher
www.sulemanmalik.com
python

@MarkMangoba MarkMangoba self-assigned this Dec 23, 2016
@malemburg
Copy link
Member

I think it's rather unlikely that someone will use this to mail bomb people, but a rate limit or captcha would be nice way to protect against automated attacks.

As always: patches are welcome (the site's source code is available in this repo).

Thanks.

@sulemanmalik003
Copy link
Author

Thank you for your reply. Did you check the other links that are disclosing the server side information including the version and OS.

@malemburg
Copy link
Member

malemburg commented Jan 4, 2017 via email

@MarkMangoba
Copy link
Contributor

@sulemanmalik003 I discussed this with the pythondotorg workgroup back when it was reported on IRC, sorry for not closing this - the issue was fixed. As @malemburg patches are welcome, and feel free to contribute.

@sulemanmalik003
Copy link
Author

Great Thank you..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants