Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71068

Usernames or emails can be enumerated under certain conditions with $CFG->protectusernames on

    XMLWordPrintable

    Details

      Description

      There is just a couple edge cases which $CFG->protectusernames doesn't correctly protect against when an account is in an intermediate state while unconfirmed.

      Specifically:

      1) A freshly created account whichis unconfirmed, you can request a forgotten password using their email and it will give you an error message instead of just re-sending the confirmation email so you can tell it is different from an already confirmed email

      2) Same as aboe but using their username

      3) Combinations of the above but when there is also duplicate emails in the system

       

        Attachments

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            brendanheywood Brendan Heywood
            Peer reviewer:
            Peter Burnett
            Integrator:
            Adrian Greeve
            Tester:
            CiBoT
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              25/Mar/21

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h