Username can be enumerated by password reset endpoint in snipe/snipe-it
Jun 19th 2022
The error message on
/password/reset/1 can indicate whether the username exists in the instance.
I believe this is a valid issue for the following reason:
/password/resetafter submitting the username on this page, the server always returns success no matter whether the username exist
- ForgotPasswordController.php In this file, you added a random sleep to prevent user enumeration.
Proof of Concept
/password/reset/1, for example,
you can see the different responses by using a different username,
(make sure you enter a password that match the security rules)
admin user, the response is
passwords.token. (which is missing lang translation I think)
As for the others, the response is
500 | SERVER ERROR.
In my self-hosted site, the response is
No matching active user found with that email.
An attacker can write a script to detect what users are registered on this snipe-it instance.
Usernames of the snipe-it instance can be enumerated