Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Enumeration in Sign in page #2346

Closed
oosman-rak opened this issue Dec 21, 2020 · 6 comments
Closed

User Enumeration in Sign in page #2346

oosman-rak opened this issue Dec 21, 2020 · 6 comments

Comments

@oosman-rak
Copy link

Describe the bug
It was observed that the login page of the php-fusion throwed different messages upon different username entries. This shows that the product is vulnerable to user enumeration vulnerability.

Version
PHP-Fusion latest version 9.03.90.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'https://v9.demos.php-fusion.co.uk/administration/members.php'
  2. Login using valid credentials
  3. Add a new user.
  4. Now open a separate private tab, access the URL: https://v9.demos.php-fusion.co.uk/login.php.
  5. Try logging in with username that we created with wrong password, Observe the product throws message 'Enter valid Password'
  6. Now, try logging in with wrong/non-existing username and password. Observe the application throws different message.
  7. This difference in error message leads an attacker to collect valid usernames which can ease brute forcing or logging in attempt.

Expected behavior
Display a common message for any combination of wrong username/password.

Screenshots

php-fusion-3
php-fusion-4
@oosman-rak
Copy link
Author

@FrederickChan @RobiNN1 any updates on this?

@oosman-rak
Copy link
Author

Hi @RobiNN1 ,

Can i raise a CVE request for this now?

Thanks,
Mohamed Oosman B S

@RobiNN1
Copy link
Contributor

RobiNN1 commented Jan 3, 2021

I don't care about CVE but do what you want. It's already fixed.

@RobiNN1 RobiNN1 reopened this Jan 3, 2021
@RobiNN1 RobiNN1 closed this as completed Jan 3, 2021
@JoakimFalk
Copy link
Contributor

JoakimFalk commented Jan 4, 2021
edited

@oosman-rak I really hope you guys do not run penetration tests on our live sites. We had a huge traffic spikes in January, on demos to be specific.
That is considered flooding at best and DDoS attempts at worst. In fact our logs was several hundreds of GB large due to this causing major issues and in essence halted server.
I will only say this once, Please run test on your local host or not at all, I will take actions if my notification here is not taken serious.

@oosman-rak
Copy link
Author

oosman-rak commented Jan 4, 2021
edited

Hi @JoakimFalk,
Nope, I guess there is a misunderstanding on your side. I had just done a basic logical testing (just like a normal user performs) in mid December and have not performed any kind of automation to generate this huge traffic. Not really sure about the spike in January you are talking about because I haven't even visited the demo site since then .

@JoakimFalk
Copy link
Contributor

Hi !
Thank you for clarifying, was required to mention it since I know you been doing some tests. Good to hear that you are not running any automated scripts for penetration testing on live sites.

@RobiNN1 RobiNN1 mentioned this issue Feb 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JoakimFalk @RobiNN1 @oosman-rak