View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006040SOGoWeb Generalpublic2024-09-16 10:342024-09-17 08:08
Reporterjulian123 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version5.11.0 
Summary0006040: Bypass of Controls, Resulting in Username Enumeration
Description

A remote, unauthenticated attacker, can enumerate valid user addresses of a SOGo instance by observing the difference in request processing times. When fuzzing the login portal with a list of potential usernames, processing times are 100ms more when a valid username is entered. This, in combination with the host header poisoning vulnerability, which may be used to poison the password reset link sent to the secondary email, as well as the ability to brute force the security questions, increases the severity and likelihood of account compromise.

Steps To Reproduce
  1. While running a Web proxy such as OWASP's ZAP or Burp Suite, navigate to the login page.
  2. Capture a login request
  3. Send to Intruder
  4. Select the username field
  5. Paste list of as many usernames as you would like, for example 5000. With the last including a valid username.
  6. Start the attack.
  7. Observe that responses for valid usernames are processed more slowly
TagsNo tags attached.

Activities

julian123

julian123

2024-09-16 10:34

reporter  

Pasted image 20240914200433.png (53,610 bytes)   
Pasted image 20240914200433.png (53,610 bytes)   
sebastien

sebastien

2024-09-16 13:10

administrator   ~0017887

This may be protected by apache configuration, no ?
julian123

julian123

2024-09-16 20:00

reporter   ~0017889

This is a result of the application prompting you for the forgot password hyperlink when a valid username is entered into the email field.
sebastien

sebastien

2024-09-17 08:08

administrator   ~0017890

This is similar to a brute force attack. This can be blocked by usage of mod_security

Issue History

Date Modified Username Field Change
2024-09-16 10:34 julian123 New Issue
2024-09-16 10:34 julian123 File Added: Pasted image 20240914200433.png
2024-09-16 13:10 sebastien Note Added: 0017887
2024-09-16 20:00 julian123 Note Added: 0017889
2024-09-17 08:08 sebastien Note Added: 0017890