Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Vulnerability) Username enumeration via response timing #381

Closed
Astaruf opened this issue Oct 24, 2022 · 2 comments
Closed

(Vulnerability) Username enumeration via response timing #381

Astaruf opened this issue Oct 24, 2022 · 2 comments

Comments

@Astaruf
Copy link

Astaruf commented Oct 24, 2022

It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing.
For example, let's suppose these users were registered on PwnDoc:

Schermata del 2022-10-06 23-22-56

By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.

Schermata del 2022-10-06 23-35-03

All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.

The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.

Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org

@Astaruf Astaruf changed the title Username enumeration via response timing (Vulnerability) Username enumeration via response timing Oct 27, 2022
@Astaruf
Copy link
Author

Astaruf commented Oct 31, 2022

A CVE-ID has been reserved by Mitre.org for this vulnerability CVE-2022-44022.

@MaxNad
Copy link
Collaborator

MaxNad commented Mar 8, 2023

In the future, I would advise following the newly created security policy as publicly disclosing a vulnerability with a full proof on concept without contacting the project maintainers, providing a PR with a solution and/or using the GitHub private disclosure feature is not the most responsible way to go about it.

That being said, thank you for caring about the security of PwnDoc.

This issue was fixed in commit bd8bded

@MaxNad MaxNad closed this as completed Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants