Observable Response Discrepancy in osticket/osticket

Valid

Reported on

Sep 28th 2021


Description

The forgot password can be abused to leak possible usernames due to different responses returned when a user exists or a user does not.

Proof of Concept

1. Go to http://[OSTICKET-SERVER]/htdocs/osticket/scp/pwreset.php
2. Key in a user which does not exist, the response is: "Unable to verify username"
3. Key in a user which exists, the response is: "A confirmation email has been sent"

Impact

This vulnerability is capable of enumerating possible usernames on the application.

Recommended Fix:

Application should give the following example response if either valid or invalid username is keyed in:

"If the user exists, a password reset email was sent to your email. Follow the link in the email to reset your password."

Occurences

We have contacted a member of the osticket team and are waiting to hear back 2 months ago
We have contacted a member of the osticket team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
osticket/osticket maintainer
2 months ago

Maintainer


@haxatron

You are making us do some work 🤣

All kidding aside, please apply and test the below patch:

diff --git a/include/client/pwreset.sent.php b/include/client/pwreset.sent.php
index 91c4720..6afcb3f 100644
--- a/include/client/pwreset.sent.php
+++ b/include/client/pwreset.sent.php
@@ -5,7 +5,7 @@
 
 <form action="pwreset.php" method="post" id="clientLogin">
 <div style="width:50%;display:inline-block"><?php echo __(
-    'We have sent you a reset email to the email address you have on file for your account. If you do not receive the email or cannot reset your password, please submit a ticket to have your account unlocked.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. If you do not receive the email or have trouble reseting your password, please contact support.'
 ); ?>
     </div>
 </form>
diff --git a/include/staff/pwreset.sent.php b/include/staff/pwreset.sent.php
index bd6ce08..d918d34 100644
--- a/include/staff/pwreset.sent.php
+++ b/include/staff/pwreset.sent.php
@@ -15,7 +15,7 @@ $info = ($_POST && $errors)?Format::htmlchars($_POST):array();
     </a></h1>
     <h3><?php echo __('A confirmation email has been sent'); ?></h3>
     <h3 style="color:black;"><em><?php echo __(
-    'A password reset email was sent to the email on file for your account.  Follow the link in the email to reset your password.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. Follow the link in the email to reset your password.'
     ); ?>
     </em></h3>
 
diff --git a/pwreset.php b/pwreset.php
index bc9ef6f..f8556c6 100644
--- a/pwreset.php
+++ b/pwreset.php
@@ -27,8 +27,7 @@ if($_POST) {
                         .' '.__('Internal error occurred');
             }
             else
-                $banner = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $inc = 'pwreset.sent.php';
             break;
         case 'reset':
             $inc = 'pwreset.login.php';
diff --git a/scp/pwreset.php b/scp/pwreset.php
index a81689d..16c5298 100644
--- a/scp/pwreset.php
+++ b/scp/pwreset.php
@@ -51,8 +51,7 @@ if($_POST) {
                 }
             }
             else
-                $msg = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $tpl = 'pwreset.sent.php';
             break;
         case 'newpasswd':
             // TODO: Compare passwords

Cheers.

haxatron
2 months ago

Researcher


Yep! I do not see any differentiated responses anymore, if you'd like you can also remove 'A confirmation email has been sent' in file: include/staff/pwreset.sent.php as it is still being shown, but it does not really matter as it is shown for both valid and invalid. And thanks for fixing! :)

osticket/osticket maintainer validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
JediKev confirmed that a fix has been merged on 86165c 2 months ago
JediKev has been awarded the fix bounty
pwreset.sent.php#L16L18 has been validated