Reported by multiple users to the Drupal Security team including Gaetan Ferry, Florian Guilbert, and Md. Ishrat Shahriyar
Can be a public bug based on Security Team policy at https://www.drupal.org/node/1004778
Problem/Motivation
When I got to a password reset link like:
https://_example.com/user/reset/1/0000000000/aaaaaaaaaaaaaaaaaaaaaaaaaaa...
I am redirected to https://_example.com/user/reset/1
And the user name for uid 1 is printed:
<p>This is a one-time login for %user_name and will expire on %expiration_date.</p>Since user ID's are generated sequentially, I can enumerate all user login names.
Proposed resolution
The flaw is in \Drupal\user\Controller\UserController::getResetPassForm() which invokes \Drupal\user\Form\UserPasswordResetForm::buildForm() via the form builder
The form is build without checking that the timestamp and hash are valid. That's only done in
\Drupal\user\Controller\UserController::resetPassLogin()
Resolution would be to factor out the validation code into a helper method and all it both places.
Remaining tasks
patch
fix or add tests
User interface changes
n/a
API changes
n/a
Data model changes
n/a