Observable Response Discrepancy in fisharebest/webtrees
Sep 5th 2021
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. The Forgot Password feature can be exploited to conduct user enumeration. If the given email exists in the database the application responds with 'A password reset link has been sent to “firstname.lastname@example.org”.' and if it is not present the response is 'There is no user account with the email “email@example.com”.'
Instead of revealing this information to an unauthorized actor, it is recommended to provide a generic response such as 'If the given email exists in our database, a reset email will be sent'.
🕵️♂️ Proof of Concept
If the user exists in the database.
If the user doesn't exist.
A user enumeration allows somebody to find valid user logins on an application. To do this, an attacker will try to enter a number of usernames and observe the behavior of the application, to determine whether an identifier is valid or not (different error messages, different response times, and more generally any difference in HTTP responses).