Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Vulnerability) Disabled user account enumeration via different responses #382

Closed
Astaruf opened this issue Oct 24, 2022 · 2 comments
Closed

Comments

@Astaruf
Copy link

Astaruf commented Oct 24, 2022

It is possible to enumerate "disabled account" usernames in PwnDoc (tested on 0.5.3 - 2022-07-19) observing the web server responses to login requests.
For example, let's suppose these users were registered on PwnDoc and then disabled:

Schermata del 2022-10-06 23-02-22

Trying to log in with one of these disabled users in fact the application responds with the message "Account disabled".

Schermata del 2022-10-06 23-06-31

Client request and server response:
Schermata del 2022-10-06 23-15-01

Trying to log in with a user who does not exist, the application responds with "Invalid credentials":

Schermata del 2022-10-06 23-14-42

This server behavior can be exploited to enumerate disabled users on the platform, who may be re-enabled by an admin and used again in the future.

By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect all the "Account disabled" server's responses and exclude the "Invalid credentials" ones.

Schermata del 2022-10-06 23-19-30

The standard recommendation to mitigate this vulnerability is to return identical responses for “valid user/wrong password” and “invalid user” login requests.

Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org

@Astaruf Astaruf changed the title Disabled user account enumeration via different responses (Vulnerability) Disabled user account enumeration via different responses Oct 27, 2022
@Astaruf
Copy link
Author

Astaruf commented Oct 31, 2022

A CVE-ID has been reserved by Mitre.org for this vulnerability CVE-2022-44023.

@MaxNad
Copy link
Collaborator

MaxNad commented Mar 8, 2023

In the future, I would advise following the newly created security policy as publicly disclosing a vulnerability with a full proof on concept without contacting the project maintainers, providing a PR with a solution and/or using the GitHub private disclosure feature is not the most responsible way to go about it.

That being said, thank you for caring about the security of PwnDoc.

This issue was fixed in commit bd8bded

@MaxNad MaxNad closed this as completed Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants