Skip to content
Permalink
Browse files

Fix account enumeration in account manager

It was possible to enumerate the names and email addressess in the
account manager page when trying to delete an account.

Thanks to Tim Schaefers of internetwache.org for reporting this issue
  • Loading branch information...
terrorobe committed Jun 2, 2014
1 parent 1cc902a commit cd48f1d30f4a76f3e0cf9bc1b292a1fe88c57fa2
Showing with 7 additions and 0 deletions.
  1. +7 −0 etherpad/src/etherpad/control/pro/admin/account_manager_control.js
@@ -207,6 +207,13 @@ function render_delete_account_get(accountId) {
response.write("Account not found.");
return true;
}

/* Prevent username/email enumeration */
if (account.domainId != domains.getRequestDomainId()) {
response.write("Account not found.");
return true;
}

pro_admin_control.renderAdminPage('delete-account', {
account: account,
errorDiv: _errorDiv

0 comments on commit cd48f1d

Please sign in to comment.
You can’t perform that action at this time.