Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71068

Usernames or emails can be enumerated under certain conditions with $CFG->protectusernames on

    XMLWordPrintable

Details

    Description

      There is just a couple edge cases which $CFG->protectusernames doesn't correctly protect against when an account is in an intermediate state while unconfirmed.

      Specifically:

      1) A freshly created account whichis unconfirmed, you can request a forgotten password using their email and it will give you an error message instead of just re-sending the confirmation email so you can tell it is different from an already confirmed email

      2) Same as aboe but using their username

      3) Combinations of the above but when there is also duplicate emails in the system

       

      Attachments

        Activity

          People

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Adrian Greeve Adrian Greeve
            CiBoT CiBoT
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              25/Mar/21

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h