Security Advisory 06 – 038 – Username enumeration is possible via the password reset mechanism
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown – Portcullis Computer Security Ltd.
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Requesting the URL http://webserver/path/to/mt.cgi?__mode=recover&name=[username] returns pages containing different error messages dependent on whether an account with that username exists in the authentication database or not. If an account with that username exists, the error message is “‘Birthplace’ does not match stored ‘birthplace’ for this author”; however, if no account with that username exists, then the error message “No such author with name ‘[username]‘” is instead returned.
An attacker could use this to enumerate the account usernames which exist in the authentication database.
Exploit code is not required.