Username and email enumeration via Forgot password feature in froxlor/froxlor

Valid

Reported on

Nov 4th 2022

📜 Description

User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the response body, response headers or sometimes, in the response delay.

In your application, user enumeration occurs when a user requests a password reset.

🕵️ Proof of Concept

Invalid user/email pair

Valid user/email pair

Responses are not the same depending on the validity of the request.

🔐 Mitigations

Use the same response for valid and invalid requests, you can use generic message like :

  • If your email exists in our database, a password reset link will be send.

📚 References

Impact

User and email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.

References

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago

Will be fixed in next release on 2nd of december

xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a month ago
Michael Kaufmann has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Dec 3rd 2022
Michael Kaufmann published this vulnerability a month ago
to join this conversation