Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Username Enumeration #6791

Closed
GYWF opened this issue Jan 19, 2022 · 1 comment
Closed

Username Enumeration #6791

GYWF opened this issue Jan 19, 2022 · 1 comment
Assignees

Comments

@GYWF
Copy link

GYWF commented Jan 19, 2022

Subject of the issue

When a user login, the application returns different results depending on whether the account is correct that allowed an attacker to determine if a given username was valid.

Your environment

EMQ X 3.x

Steps to reproduce

The problem lies in the "/api /v3/auth" interface

If you log in using an existing account and the Password is incorrect, "Password Error" is displayed.
image

and "Username Not Found" is displayed when you log in using a non-existent account.
image

@thalesmg thalesmg self-assigned this Jan 19, 2022
@thalesmg
Copy link
Contributor

Hi @GYWF !

Thank you for your report!

That version of EMQ X (3.x) is no longer supported. Fortunately, on the latest 4.3.11 (/api/v4/auth), that issue is now resolved. Not only you have to be already authenticated to use this API, but the return is the same for both non-existent users and wrong passwords:

$ curl -su 'admin:public' -XPOST http://localhost:8081/api/v4/auth -d '{"username": "admin", "password": "wrongpass"}' | jq .
{
  "message": "Username/Password error"
}

$ curl -su 'admin:public' -XPOST http://localhost:8081/api/v4/auth -d '{"username": "wronguser", "password": "somepass"}' | jq . 
{
  "message": "Username/Password error"
}

Please, feel free to open another issue if you find similar problems in the current versions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants