[GH-ISSUE #571] Username enumeration in login form #307

New issue

Closed

opened 2026-02-25 23:33:55 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 23:33:55 +03:00

Owner

Originally created by @fleaz on GitHub (Feb 9, 2023).
Original GitHub issue: https://github.com/go-shiori/shiori/issues/571

Data

Shiori version: 1.5.4
Database Engine: sqlite
Operating system: Linux
CLI/Web interface/Web Extension: Web

Describe the bug / actual behavior

Depending on if you use a existing or non existing username to log in, you get different error messages. That's a (rather small) security risk, because an attacker can identify valid usernames before e.g. trying to bruteforce them.

There is also not CSRF-Token used for the login form (thanks to @mweinelt for this finding!) which means I could easily hammer the login form with a simple for-loop and curl combination in a bash script.

Expected behavior

Shiori should always return a generic "Invalid username or password" message in the login form.
Shiori should use a CSRF token to make the login more secure and harder to brute force.

To Reproduce

Steps to reproduce the behavior:

Go to the login page
Try logging in with an existing username but a wrong password
Try logging in with a nonexisting username

Notes

% curl 'https://bookmarks.fleaz.me/api/login' -X POST  -d '{"username":"fleaz","password":"asd","remember":false}'
username and password don't match

% curl 'https://bookmarks.fleaz.me/api/login' -X POST  -d '{"username":"fleazz","password":"asd","remember":false}'
sql: no rows in result set

Originally created by @fleaz on GitHub (Feb 9, 2023). Original GitHub issue: https://github.com/go-shiori/shiori/issues/571 ## Data - **Shiori version**: 1.5.4 - **Database Engine**: sqlite - **Operating system**: Linux - **CLI/Web interface/Web Extension**: Web ## Describe the bug / actual behavior Depending on if you use a existing or non existing username to log in, you get different error messages. That's a (rather small) security risk, because an attacker can identify valid usernames before e.g. trying to bruteforce them. There is also not CSRF-Token used for the login form (thanks to @mweinelt for this finding!) which means I could easily hammer the login form with a simple for-loop and curl combination in a bash script. ## Expected behavior Shiori should always return a generic "Invalid username or password" message in the login form. Shiori should use a CSRF token to make the login more secure and harder to brute force. ## To Reproduce Steps to reproduce the behavior: 1. Go to the login page 2. Try logging in with an existing username but a wrong password 3. Try logging in with a nonexisting username ## Notes ``` % curl 'https://bookmarks.fleaz.me/api/login' -X POST -d '{"username":"fleaz","password":"asd","remember":false}' username and password don't match % curl 'https://bookmarks.fleaz.me/api/login' -X POST -d '{"username":"fleazz","password":"asd","remember":false}' sql: no rows in result set ```