Enhancement: Password reset should not reveal that account does not exist

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)

https://owncloud.com

GNU Affero General Public License v3.0

8.38k stars 2.06k forks source link

Enhancement: Password reset should not reveal that account does not exist #23595

Closed thorsten19 closed 7 years ago

thorsten19 commented 8 years ago

Steps to reproduce

Open Loginpage
Enter username that does not exist and a password
Click on login and then after the failed login on Link 'Wrong password. Reset it?'

Expected behaviour Same message as for successful password resets should be displayed to avoid account guessing. If Owncloud admins want to get the explicit message, for example to troubleshoot why mails are not sent/received, it would be great to have an option in the admin settings ('Password reset reveals non-existing accounts') that should be disabled by default.

Actual behaviour Couldn't send reset email. Please make sure your username is correct

Server configuration Operating system: Raspbian GNU/Linux 8 (jessie) Web server: Apache Database: MySql PHP version: 5.5.44 ownCloud version: (see ownCloud admin page) 9.0.0

Updated from an older ownCloud or fresh install: Fresh install Client configuration Browser: Firefox 45.0.1 Operating system: Windows 7

RobinMcCorkell commented 8 years ago

@LukasReschke

I believe our stance on this is that user enumeration is possible through many other techniques, and it's far more effective to prevent brute force attacks on a user account via rate limiting or other policies rather than preventing user enumeration. Notice that many other services, Google included, also allow this kind of enumeration.

thorsten19 commented 8 years ago

Current Owncloud versions do not include any limit for user enumeration (no IP-address blocking or account locking after x unsuccessful login attempts). Saw in a different thread that in v9.1 enhancements may be included, but they were not yet confirmed. Changing the message for account resets would be simple and already address part of the account enumeration issue. https://www.owasp.org/index.php/Testing_for_Account_Enumeration_and_Guessable_User_Account_%28OTG-IDENT-004%29

fgeek commented 7 years ago

Does this vulnerability have oC-SA advisory or CVE identifier?

ghost commented 7 years ago

Possible fix is available in https://github.com/owncloud/core/issues/26934

@fgeek Most likely not as such commonly as low rated information disclosures like user enumeration seems to be out of the scope of the security program of oC:

Out of scope Usually, the following types of bugs are out of scope from our security program:

User enumeration

-> https://owncloud.org/security/

PVince81 commented 7 years ago

The actual PR: https://github.com/owncloud/core/pull/27011

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.