New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server side info disclosure/ Spamming inbox #1041

Closed
sulemanmalik003 opened this Issue Dec 21, 2016 · 5 comments

Comments

Projects
None yet
3 participants
@sulemanmalik003
Copy link

sulemanmalik003 commented Dec 21, 2016

Good evening,

My name is suleman Malik and im security researcher. I have found a security vulnerability on https://www.python.org/accounts/password/reset/. Password reset is vulnerable to email flooding vuln. Image is attached with this report.

===Mitigation===
Use rate limit function or captcha in order to stop this kind of attack.

Here are two links that are disclosing server side information including server name version and operating system being used on python.org.

http://mail.python.org/
https://hg.python.org/

Looking forward!

Suleman Malik
InfoSec Researcher
www.sulemanmalik.com
python

@MarkMangoba MarkMangoba self-assigned this Dec 23, 2016

@malemburg

This comment has been minimized.

Copy link
Member

malemburg commented Jan 4, 2017

I think it's rather unlikely that someone will use this to mail bomb people, but a rate limit or captcha would be nice way to protect against automated attacks.

As always: patches are welcome (the site's source code is available in this repo).

Thanks.

@sulemanmalik003

This comment has been minimized.

Copy link
Author

sulemanmalik003 commented Jan 4, 2017

Thank you for your reply. Did you check the other links that are disclosing the server side information including the version and OS.

@malemburg

This comment has been minimized.

Copy link
Member

malemburg commented Jan 4, 2017

@MarkMangoba

This comment has been minimized.

Copy link
Contributor

MarkMangoba commented Jan 4, 2017

@sulemanmalik003 I discussed this with the pythondotorg workgroup back when it was reported on IRC, sorry for not closing this - the issue was fixed. As @malemburg patches are welcome, and feel free to contribute.

@MarkMangoba MarkMangoba closed this Jan 4, 2017

@sulemanmalik003

This comment has been minimized.

Copy link
Author

sulemanmalik003 commented Jan 4, 2017

Great Thank you..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment