Prevent discovery of CAS users via enumeration

Created on 15 August 2019, over 5 years ago

Updated 25 July 2023, over 1 year ago

Problem/Motivation

Background: https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessab...(OWASP-AT-002)

First, there are two core issues that are trying to fix "user enumeration issue:

But CAS is going beyond that: Having some hints, about user names or/and emails, an attacker is able to determine which of them are CAS users by using the /user/password form.

Proposed resolution

Don't output information about whether a user is CAS user or not. Fallback to the core behavior but fail silently on any password reset action when restrict_password_management is TRUE and the user is a CAS user.

Remaining tasks

TBD

User interface changes

TBD

API changes

None.

Data model changes

None.

Release notes snippet

N/A

🐛 Bug report

Status

Active

Version

2.0

Component

CAS

Created by

🇷🇴Romania claudiu.cristea Arad 🇷🇴

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

user enumeration

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇺🇸United States DamienMcKenna NH, USA
Should https://www.drupal.org/project/username_enumeration_prevention → be used for this?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024