Moodle in English: Disable Username and Email Enumeration in New Account Form

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

Disable Username and Email Enumeration in New Account Form

◄ AD UPN changed, users can't access Moodle Accounts
User Registration: Conditional User Profile Fields ►

This discussion has been locked so you can no longer reply to it.

A recent penetration test identified a security flaw in our Moodle 2.7's self registration process which allows a potential hacker to discover whether a username or email is valid by using either in the new user sign up form and then getting the "This username already exists, choose another" or the "This email address is already registered. New password?" message.

Does anyone have a suggestion as to how to bypass this message and just display a "thank you for registering" message?

Thanks for any suggestions and comments.

Roger Mepham

Average of ratings: -

◄ AD UPN changed, users can't access Moodle Accounts
User Registration: Conditional User Profile Fields ►

Authentication

Disable Username and Email Enumeration in New Account Form

Disable Username and Email Enumeration in New Account Form

Empowering educators to improve our world

Moodle

Support

Get Involved

Contributions

Downloads

Tracker

Development

Empowering educators to improve our world