Observable Response Discrepancy in fisharebest/webtrees


Reported on

Sep 5th 2021

✍️ Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. The Forgot Password feature can be exploited to conduct user enumeration. If the given email exists in the database the application responds with 'A password reset link has been sent to “user@test.com”.' and if it is not present the response is 'There is no user account with the email “test@test.com”.'

Instead of revealing this information to an unauthorized actor, it is recommended to provide a generic response such as 'If the given email exists in our database, a reset email will be sent'.

🕵️‍♂️ Proof of Concept

If the user exists in the database.

User Enumeration

If the user doesn't exist.

User Enumeration

💥 Impact

A user enumeration allows somebody to find valid user logins on an application. To do this, an attacker will try to enter a number of usernames and observe the behavior of the application, to determine whether an identifier is valid or not (different error messages, different response times, and more generally any difference in HTTP responses).


We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 3 months ago
Greg Roach validated this vulnerability 3 months ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 3a8376 3 months ago
Greg Roach has been awarded the fix bounty