Username enumeration via password reset

Created on 14 April 2024, 8 months ago

Updated 2 September 2024, 4 months ago

Problem/Motivation

This was originally reported to the security team who decided it could be public
There is a vulnerability in Drupal's user password reset function.
The Drupal version I checked is 10.2.3.
The frontend theme is Olivero 10.2.3.

You can see this vulnerability by:

Steps to reproduce

1. Access the page below and receive a password reset URL email.
https://example.com/user/password

2. Get it without clicking the URL below in the email.
https://example.com/user/reset/＜my-uid＞/1708915080/LuZCUc1oOXJA86OUkCg7j6HDzulz4SbvRHeI-uNl6BE

3. When you access the URL obtained in step 2, you will be redirected to the following, but using a tool such as Burp,
Modify the redirect URL before redirecting.

From：https://example.com/user/reset/＜my-uid＞
To：https://example.com/user/reset/＜modify-uid＞

4. The following message is displayed on the redirect URL (https://example.com/user/reset/＜modify-uid＞).
You will be able to view other people's %user_name.
*This is registered as a translated message at (/admin/config/regional/translate).

This is a one-time login for %user_name and will expire on %expiration_date.

Click on this button to log in to the site and change your password.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Closed: duplicate

Version

11.0 🔥

Component

User system →

Last updated about 4 hours ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Comments & Activities

Issue created by @larowlan
Comment 8 months ago →
🇯🇵Japan shuuhei1.yamamoto@scsk.jp
larowlan → credited shuuhei1.yamamoto@scsk.jp → .
Comment 8 months ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
Comment 8 months ago →
🇺🇸United States nicxvan
This seems similar to issues solved by this contrib module: https://www.drupal.org/project/username_enumeration_prevention →

I would like to see a core solution for this since a lot of external auditors flag it and I think it gets reported back.
Status changed to Closed: duplicate 4 months ago10:14am 2 September 2024
Comment 4 months ago →
🇮🇳India sukr_s
This has been fixed with 🐛 Harden user_pass_rehash() against attack Fixed

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024