This issue has been investigated by the Drupal Security Team and it has been decided to handle this as public security improvement.

After a failed login attempt, the link to the "Reset password" form in the error message includes the user's username or email address in the query string. This can lead to PII disclosure when following that link, e.g. when including advertisements that send the whole page URL as referrer on the target page.
It should at least be configurable whether the email will be included in the generated link or not. A proposed patch will be attached.

Steps to reproduce:
- try to log in to the site with wrong password
- follow the "forgotten your password" link in the error message
- now the user's username or email is disclosed in the page URL.

CommentFileSizeAuthor
#11 image002.jpg29.08 KBrreiss
#2 drupal-configure_user_email_in_password_reset_link-2414187-2.patch2.04 KBcussack
#1 drupal-configure_user_email_in_password_reset_link-2414187-1.patch1.95 KBcussack

Issue fork drupal-2414187

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

cussack’s picture

cussack commented
Status: Active » Needs review
StatusFileSize
new drupal-configure_user_email_in_password_reset_link-2414187-1.patch1.95 KB
cussack’s picture

cussack commented
StatusFileSize
new drupal-configure_user_email_in_password_reset_link-2414187-2.patch2.04 KB

Added new patch to fix coding style issues.

pfrenssen’s picture

pfrenssen
Location Sofia
commented
Version: 7.x-dev » 8.0.x-dev
Component: user system » user.module
Status: Needs review » Active

Security issues should not be posted in the public issue queue but directly to the security team. See How to report a security issue. I have made an issue for this in the private security queue: https://security.drupal.org/node/151218.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Issue summary: View changes
Issue tags: -Security +Security improvements

Republished this after consideration by the security team

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

One way to solve this with minimal intervention is to hard-code the path to login without a username in it as a translation string.

In settings.php:


$conf['locale_custom_strings_en'][''] = array(
  'Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>' => 'Sorry, unrecognized e-mail or password. <a href="/user/password">Have you forgotten your password?</a>',
);
rreiss’s picture

rreiss commented
StatusFileSize
new image002.jpg29.08 KB

Another scenario with a similar information disclosure vulnerability (tested only on D7, but being added here as advised by the Drupal security team):

When logged in to a Drupal site (without any special privileges), I can go to “my account”
page, try changing my email to another email that is already in use by another user and
then I am getting the message “The e-mail address xxx@xxx.xxx is already taken”.
That allows an attacker to retrieve users that exists on the site.

Screenshot is attached.

tatarbj’s picture

tatarbj
Primary language Hungarian
Location Brussels
commented
Issue tags: +dcruhr18_SecImproveSprint

I'm planning to bring this issue to the security improvements sprint of DrupalCamp Ruhr this weekend and work on it with sprinters - marking it with the tag of #dcruhr18_SecImproveSprint.

tstoeckler’s picture

tstoeckler
he/him
Primary language German
Location Essen, Germany
commented
Issue tags: +dcruhr18

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Version: 9.4.x-dev » 10.1.x-dev
Issue tags: +Bug Smash Initiative

I tested on Drupal 10.1.x, minimal install. This is still valid.

BramDriesen made their first commit to this issue’s fork.

BramDriesen opened merge request !3989

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Active » Needs review
Issue tags: +DrupalCamp Ruhr 2023

Been thinking about this for a bit. I don't think this should be an opt-in feature like the patch in #2 is doing. I have checked a few other applications and CMS systems (including Wordpress) and none of them (which I tested) pre-fill the username/email field if there is one.

This might break a few tests so those will need to be fixed as well.

Also not sure what the preferred solution for this would be from the core maintainers perspective.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Luckily only a failures :)

If I had to vote I would say the opt-in feature makes the most sense.

Though since it's only passing what was inputted in the username field, and not really validating the username, think the default should be to not include the username.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented

I'm still more fan of removal. Having a checkbox in Core that makes your site less secure seems a tad weird (it would also need a disclaimer then since it has security implications). We would also need to do config changes, provide an upgrade hook etc for this which in my eyes looks a bit overkill as well. It's "just" the password forgot redirect query parameter :-) it's not like we are really breaking or changing functionality. Besides pre-filling that form of course, but most people with browser autocomplete won't even notice this I think.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave commented

Since I’ve never noticed this feature don’t see any issue removing. I don’t think it would be much of a lose

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

All green removing the feature.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Hiding patches, updated credits

  • larowlan committed 4b0e8708 on 11.x 
    Issue #2414187 by BramDriesen, cussack: User email disclosure in /user/...
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Reviewed & tested by the community » Fixed

Committed 4b0e870 and pushed to 11.x. Thanks!

Because of the minor behaviour change here, decided not to backport this.

Created a change record for the new behaviour

larowlan closed merge request !3989

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.