CMD_LOST_PASSWORD Information Disclosure

tillo

Verified User
Joined
Oct 28, 2007
Messages
862
Location
Switzerland
A low risk vulnerability affects the CMD_LOST_PASSWORD function, optionally activated by the lost_password setting.

Username enumeration is possible: while existing usernames are treated as expected, invalid usernames show an error. While this kind of behavior is very common, it is in fact quite dangerous and often used by attackers to guess valid account names.

The application should continue normally without informing the user if the username was or not correct.
 
Top