Email enumeration exploit

[vmario89]

Hi,

we got a security warning for Seafile which i wanted to share to you.

this affects all versions of Seafile as far as i know.

Step to Produce

• Go to password reset page /accounts/password/reset/
• Enter unregistered email and click submit
• Then you will get error message saying --->That e-mail address doesn't have an associated user account. Are you sure you've registered?

Impact

• Attacker can easily find list of large amount of valid emails by using some common dictionaries avaialble on internet.
• Leaking users emails leading to Information Disclosure. Attacker Can conduct spear phishing attacks to target users.

Fix

• A better security practice is by simply saying that you sent a link to the e-mail no matter if they have an account already or not.

References

• https://hackerone.com/reports/1166054
• https://huntr.com/bounties/db753013-8feb-4bc8-b053-6faa58058f43

Code
See https://github.com/haiwen/seahub/blob/master/seahub/auth/forms.py#L89

[freeplant]

This is a nice to improve feature. In the old version, we did implement such a behaviour. But we had some users, that not good at using computers, complained about why login or reset password can not work. So we have changed the behaviour to return the exact reason to help them to better use the software.

In summary, this is a tradeoff between security and usability. We don't have a plan to change the behaviour at the moment.