• Resolved ale8521

    (@ale8521)


    * It is possible to know if an email entered belongs or not to a user of the application, this is possible in the password recovery form
    * In the user registration form you can know if the username entered exists or not in the application, despite the fact that this is normal behavior and the user registry is protected by CAPTCHA through tests, it was possible to show that it is It is possible to send multiple requests varying the username and the response of this field to vary, thus allowing dictionary attacks focused on the enumeration
    * In public files such as site map or configuration files it is possible to identify application users or emails associated with application users

    *-*-*-*-*-
    * As a response to entering an email for password recovery, always show the message of the successful case
    * Enumeration in the registration form is possible because individual responses are presented for each field, first perform the CAPTCHA validation, if negative, do not perform further field validations and present only this response
    * If possible, remove usernames or emails from configuration files

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Champ Camba

    (@champsupertramp)

    Hi @ale8521

    Please contact us via [email protected] so we can have a closer look at these suggestions.

    Regards,

    Plugin Contributor Champ Camba

    (@champsupertramp)

    Hey there!

    This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

    Please feel free to re-open this thread by changing the Topic Status to ‘Not Resolved’ if any other questions come up and we’d be happy to help. ??

    Regards,

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[NSFW] register form’ is closed to new replies.