Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by Gazzar - 05.03.2025
Last edited by cbay - 06.03.2025

FS#136 - users email address enumeration

there is ability to enumerate email address of users through
admin.alwaysdata.com/password/lost/
if i enter a registered email it will display that email has sent
but if the mail in snot registered it will say
The form contains some errors.
Email address of your account : There is no account with this email address.
so we can brute force using list of emails and get some regestered mails
there is rate limit but it's very poor as waiting 20 seconds after 7 or 8 requests will be ok and not banned with 429 response

suggested solution to say that : email is sent if this email has an account
as in here admin.alwaysdata.com/login/
if email or password are wrong it says credentials are incorrect not say email is incorrect as here emails can be enumerated

Closed by  cbay
06.03.2025 08:21
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/19

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing