Description
Summary
Hi, i am a full time Pentester , was conducting an internal web application pentest on a client who was using the pimcore CMS , and after the OSINT phase i discovered potential employees emails, i succesfully enumerated valid accounts from those emails via the Forgot password function , and then used password spraying to gain access .
contact: aymanrayan.kissami@gmail.com
Details
-> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented.
PoC
we enter first a valid account email address adn we click on submit
we get a green message that validates that the account exists and that a login link has been sent to our email
now we go back and we will use a random email from temp-mail to test with a non existant account
once we click on submit we get an error in red that a problem occured
the poc of the user enumeration stops here , but here is a screenshot of me logging into the portal after password spraying against enumerated emails
Impact
user enumeration is a confidentiality threat , that could potentially lead to an attacker to enumerate valid accounts and maybe taking over accounts in case combined with credential stuffing on an organisation .
A remedition would be to change the error message in both cases ( valid and invalid emails ) to what we call a "synchronised error " it would be for example : " if the given email address is linked to an account , then a login link would be sent to that email " or something along those lines
Ayman-Rayan Reporter
Description
Summary
Hi, i am a full time Pentester , was conducting an internal web application pentest on a client who was using the pimcore CMS , and after the OSINT phase i discovered potential employees emails, i succesfully enumerated valid accounts from those emails via the Forgot password function , and then used password spraying to gain access .
contact: aymanrayan.kissami@gmail.com
Details
-> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented.
PoC
we enter first a valid account email address adn we click on submit
we get a green message that validates that the account exists and that a login link has been sent to our email
now we go back and we will use a random email from temp-mail to test with a non existant account
once we click on submit we get an error in red that a problem occured
the poc of the user enumeration stops here , but here is a screenshot of me logging into the portal after password spraying against enumerated emails
Impact
user enumeration is a confidentiality threat , that could potentially lead to an attacker to enumerate valid accounts and maybe taking over accounts in case combined with credential stuffing on an organisation .
A remedition would be to change the error message in both cases ( valid and invalid emails ) to what we call a "synchronised error " it would be for example : " if the given email address is linked to an account , then a login link would be sent to that email " or something along those lines