search

sbpp / sourcebans-pp

Admin, ban, and comms management system for the Source engine
https://sbpp.github.io/
Creative Commons Attribution Share Alike 4.0 International
327 stars 175 forks source link

Vulnerability in Forgot Password implementation #975

Open butt0n-sudo opened 1 week ago

butt0n-sudo commented 1 week ago

The "Lost Password" page returns "The email address you supplied is not registered on the system" when an email address that is not registered is entered into the form.

This can allow for bruteforcing of valid email addresses.

This also works when "Normal Login" is disabled by calling the 'LostPassword' ajax call directly.

CWE-204: Observable Response Discrepancy

https://github.com/sbpp/sourcebans-pp/blob/a80430e3b9c2b4662a59d7d532bf64f4197b9861/web/includes/sb-callback.php#L140

Rushaway commented 1 week ago

Thanks for the report, @Hackmastr will review it asap to get it merged.