Description

Administrator users can create multiple users with the same username which breaks the logic of the web application.

Proof of Concept

Step 1: At Administration>User Management>Manager User Screen, click on "New Local User" button

Step 2: Fill in all the required fields, notice that the email is pentest@gmail.com.

Step 3: Intercept the above request

Step 4: Send the request to "Intruder", set payload position as image below

Step 5: Set the number of payloads to 100

Step 6: Set the concurrent requests to 30 and click "Start attack"

Step 7: 30 requests creating the user with the username "pentest@gmail.com" will be sent at the same time. Looking at the result, we can see there are 3 users with the username "pentest@gmail" created.

Step 8: Send the request again and see that it fails because the user "pentest@gmail.com" was created before, which means by default, it is unacceptable that 2 users with the same username in this system.

Step 8: Go to the User Management screen to confirm that.

Impact

When a race condition occurs during the creation of multiple users with the same username, it can result in data inconsistencies and authentication problems. Concurrent processes may overwrite or corrupt user data, leading to difficulties in identifying and distinguishing users, compromising security, and creating usability challenges.