Bug#727678: wiki.debian.org: Small security related glitch in user registration / login process

To: Tormen <quickhelp@gmail.com>, 727678@bugs.debian.org
Subject: Bug#727678: wiki.debian.org: Small security related glitch in user registration / login process
From: Steve McIntyre <93sam@debian.org>
Date: Fri, 8 Nov 2013 18:32:39 +0000
Message-id: <[🔎] 20131108183239.GG7674@einval.com>
Reply-to: Steve McIntyre <93sam@debian.org>, 727678@bugs.debian.org
In-reply-to: <526A3D0F.50304@gmail.com>
References: <526A3D0F.50304@gmail.com>

On Fri, Oct 25, 2013 at 11:42:39AM +0200, Tormen wrote:
>Package: wiki.debian.org
>Verion: current
>Severity: normal

Hi, thanks for the report!

>Maybe I missed something, but I think I found a small security 
>related glitch in the wiki.debian.org registration process.
>
>It seems currently possible to
>	(a) confirm the existance of a wiki.debian.org account
>	(b) reveal its linked email address

Right. The first is a hard one to fix, the second one I will work on
shortly. More details below:

>REMARK:
>	(a) This might be always possible as you can simply try visiting:
>		https://wiki.debian.org/SomePerson
>	    ? - Did not try to see what happens if one deletes his own Homepage.

The SomePerson pages isn't actually created automatically with the
account - it's up to people to set those up (or not) as they see fit.

>	(b) This should really be a small security glitch as there is the "General option" on the users "Preferences" page:
>		"Publish my email (not my wiki homepage) in author info"

Right.

>Here is what I did:
>	* Click on "Login"
>	* Click on "Forgot your password"
>	* Enter username, email
>	* You get: "If this account exists an email was sent."
>
>So far so good, but:
>
>	* Click on "Login"
>	* Click on "you can create one now"
>	* Enter a username you want to know if it exists
>	* Enter any email adress and any password
>	* Click "Create Profile"
>	* You get: "This user name already belongs to somebody else. If this is a new account and you need another verification link, try sending another one."
>
>So this tells you that the account exists.

Right. It's trying to be more friendly when creating a new account,
and a fairly standard approach on most websites where accounts are set
up by users directly. I'm not overly bothered to change this, I'll be
honest. Usernames need to be unique.

>	* Click on "try sending another one" (works even if "User account has already been verified!")
>	* You get: "Verification message re-sent to knuth@posern.org
>
>And this tells you it's linked email address.

Correct. I'll fix that message to remove the email address. It's often
useful for debug, but it does leak too much. I'll also add a check on
current verification state too.

-- 
Steve McIntyre                                        93sam@debian.org
Debian wiki admin - wiki.debian.org

Reply to:

Prev by Date: Re: Fwd: error while creating and account
Next by Date: Bug#728492: www.debian.org: Please add antiharassment email details on contact page
Previous by thread: Re: Fwd: error while creating and account
Next by thread: git repo problem - remote: aborting due to possible repository corruption on the remote side
Index(es):
- Date
- Thread