You are here

Home » API reference » Username Enumeration Prevention 6

README.txt in Username Enumeration Prevention 6

Non-displayable characters.

File

README.txt
View source 
  1. 

  2. What Is Username Enumeration Prevention

  3. 

  4. By default Drupal is very secure (especially Drupal 7). However, there is a way to exploit 

  5. the system by using a technique called username enumeration. Both Drupal 6 and 7 have 

  6. this issue, but it is much worse for people using Drupal 6. This is because Drupal 6 does 

  7. not have any built in brute force prevention. When an attacker knows a username they can 

  8. start a brute force attack to gain access with that user. To help prevent this, it is best 

  9. if usernames on the system are not easy to find out.

  10. 

  11. Attackers can easily find usernames that exist by using the forgot password form and a 

  12. technique called “username enumeration”. The attacker can enter a username that does not 

  13. exist and they will get a response from Drupal saying so. All the attacker needs to do is 

  14. keep trying usernames on this form until they find a valid user.

  15. 

  16. This module will stop this from happening. When the module is enabled, the error message 

  17. will be replaced for the same message as a valid user and they will be redirected back to 

  18. the login form. If the user does not exist, no password reset email will be sent, but the 

  19. attacker will not know this is the case.

  20. 

  21. For a demonstration of this, visit the password reset page at zeusarticles.com and try to 

  22. enter an invalid username. This will show you the same message as a valid username.

  23. 

  24. Additional Notes

  25. 

  26. Enabling this module is one step to preventing the usernames on the system from being found 

  27. out but there are other known methods that are just as easy. These are:

  28. 

  29. 1. If a user belongs to a role that has "access user profiles" granted to it, then that user 

  30.    can serially visit all integers at the URL http://drupal.org/user/UID and get the username from 

  31.    the loaded profile pages. With this permission, the user can call the core callback at 

  32.    http://drupal.org/user/autocomplete/a and get the usernames. Replacing the “a” with each letter 

  33.    of the alphabet, prints an array of usernames.

  34.  

  35. 2. If a site has the views module installed then views exposes an autocomlete callback which can be 

  36.    similarly be enumerated with letters of the alphabet to get all the usernames. 

  37.    See http://drupal.org/admin/views/ajax/autocomplete/user/a for an example. This callback doesn't have 

  38.    any access restrictions assigned by the views module.

  39. 

  40.    Installing this module will make the views autocomplete callback require the “access user profiles” 

  41.    permission. This will prevent anonymous users from accessing the callback as long as the anonymous 

  42.    user role does not have “access user profiles” enabled.

  43. 

  44. If any of the two issues above exist then the module will notify the site builder when the module is enabled.

  45. 

  46. Note: There may be other places where usernames could be exposed that this module may not know about. 

  47. Examples are the "submitted by" information on nodes or comments, views, exposed filters or by other 

  48. contributed modules. Users looking to hide the usernames from comments and nodes should look at using 

  49. realname or some other tool.

  50. 

  51. Installing Username Enumeration Prevention:

  52. 

  53. Place the entirety of this directory in sites/all/modules/username_enumeration_prevention

  54.  

  55. Navigate to administer >> build >> modules. Enable Username Enumeration Prevention.

  56.