User Enumeration in kareadita/kavita
Reported on
Oct 27th 2022
Description
The migrate-email endpoint is requiring Email, Username, and Password parameter. The Username parameter value will be queried to _userManager.Users and will returning data to user variable, if user variable contain null value, the application will return bad request with "Invalid username" message, which is similar to user doesn't exist message.
This bad request message can be used for user enumeration, with the asumption if an Username parameter value using the valid username, the backend will returing the different message.
Proof of Concept
1. Send a request with the following parameter :
- Email parameter with any email value
- Username parameter with any value
- Password parameter with any value

2. The backend will response "Invalid username"
3. An then, try to put the valid Username on Username parameter.

4. The backend will response "Your credentials are not correct".
Impact
An attacker could perform an bruteforce attack to either guess or confirm valid users in a system.
Occurrences
References
@admin can disclose this report? Also can to assign cve for this vulnerability?
This is not ready for disclosure. I will publish when it is ready.
