Hello All,
I recently noticed that when I am logged into a DNN site, and when I click on my profile, I see the following URL
http://www.dotnetnuke.com/UserProfile...
I have replaced my userid with 999999 as you can see. However, if I change the values to real world values, I can see the username (only) of all the users on the site., ie 999998, 999997, 999996, 999995, 999994. You do see an error if the selected value does not exist of course.
With 5 - 10 mins scripting, anyone can harvest all the sites usernames and corresponding UserIds.
I presume there is an argument that knowing the username only does not compromise ones security, but surely it does give away something that would be better kept secret?
I am also presuming that encrypting the userid in that URL would break some other dependencies, but shouldn't this publicly visible userid / username combo be something to eliminate.
Sorry if this has been discussed many times before - I am just curious to hear your views on this
thanks
Mark