Why is the /validate endpoint public?

[Leonabcd123]

Why does the /validate endpoint (in the score.py file) allow users to match usernames to passwords without being the actual user? Can't this be used to get the emails of users?

[adamdoupe]

From my reading of the code, you need to provide both username and password (both must be correct) to get a 1. If either username or password is incorrect, it returns a 0. Therefore you shouldn't be able to enumerate email addresses or detect if a certain email address is a pwn.college user.

[Leonabcd123]

This isn't the case. The code is this:

@score_namespace.route("/validate")
class ValidateUser(Resource):
    @ratelimit(method="GET", limit=10, interval=60)
    def get(self):
        username = request.args.get("username")
        email = request.args.get("email")
        if not username or not email:
            return {"error": "`username` and `email` parameters are required"}, 400

        return int(bool(Users.query.filter_by(name=username, email=email, hidden=False).first()))

Creating a new account and testing it on it, I was able to get a 1 output when inputting both username and email.

This really seems like a security vuln, should we open an advisory for that?