Received via OpenBugBounty to Miraheze.
Bug : Email enumeration
Enumeration of email addresses of already registered users is possible, and or, checking if a user with a specific email address is registered in the website and will then be used for phishing attacks or any malicious intent.
In the "Forgot Password" section, there is an implemented security measure regarding this specific flaw.
Poc:
- go to https://phabricator.miraheze.org/login/email/
- reset password with email not registered
you got this response : " There is no account associated with that email address. "
and when you tap email already registered you got response told you that the email was sent to your mail
The password reset function should provide a generic reply saying you have mail if account exists.
I will also report to Phab