It is possible to enumerate "disabled account" usernames in PwnDoc (tested on 0.5.3 - 2022-07-19) observing the web server responses to login requests.
For example, let's suppose these users were registered on PwnDoc and then disabled:
Trying to log in with one of these disabled users in fact the application responds with the message "Account disabled".
Client request and server response:
Trying to log in with a user who does not exist, the application responds with "Invalid credentials":
This server behavior can be exploited to enumerate disabled users on the platform, who may be re-enabled by an admin and used again in the future.
By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect all the "Account disabled" server's responses and exclude the "Invalid credentials" ones.
The standard recommendation to mitigate this vulnerability is to return identical responses for “valid user/wrong password” and “invalid user” login requests.
Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org
The text was updated successfully, but these errors were encountered:
Astaruf
changed the title
Disabled user account enumeration via different responses
(Vulnerability) Disabled user account enumeration via different responses
Oct 27, 2022
In the future, I would advise following the newly created security policy as publicly disclosing a vulnerability with a full proof on concept without contacting the project maintainers, providing a PR with a solution and/or using the GitHub private disclosure feature is not the most responsible way to go about it.
That being said, thank you for caring about the security of PwnDoc.
It is possible to enumerate "disabled account" usernames in PwnDoc (tested on 0.5.3 - 2022-07-19) observing the web server responses to login requests.
For example, let's suppose these users were registered on PwnDoc and then disabled:
Trying to log in with one of these disabled users in fact the application responds with the message "Account disabled".
Client request and server response:

Trying to log in with a user who does not exist, the application responds with "Invalid credentials":
This server behavior can be exploited to enumerate disabled users on the platform, who may be re-enabled by an admin and used again in the future.
By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect all the "Account disabled" server's responses and exclude the "Invalid credentials" ones.
The standard recommendation to mitigate this vulnerability is to return identical responses for “valid user/wrong password” and “invalid user” login requests.
Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org
The text was updated successfully, but these errors were encountered: