View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002198SOGoWeb Generalpublic2013-01-26 15:092013-07-29 14:49
Reportermgs Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionduplicate 
Product Version2.0.4 
Summary0002198: User Enumeration and Guessable User Account with SOGo web interface
Description

(Please also see https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29)
and the untouched private bug about this issue I reported earlier (0002135)

It is possible to build a list of (active) accounts or e-mail addresses due to a difference in responses to unauthenticated requests when visiting valid/invalid userURL's in SOGo.
I.e. example.com/SOGo/so/invaliduser@example.com will return: "object not found: invaliduser@example.com" while entering a valid e-mail account will return the login screen.

Thus, with knowledge of an email-address or account naming policy (depending on the configuration) I could programatically retrieve a list of available accounts by crawling URL's.

Please always return the login interface for unauthenticated users.

Additional Information

Tested on 2.0.3a and 2.0.4

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2013-01-26 15:09 mgs New Issue
2013-07-29 14:49 ludovic Duplicate ID 0 => 2135
2013-07-29 14:49 ludovic Status new => resolved
2013-07-29 14:49 ludovic Resolution open => duplicate
2013-07-29 14:49 ludovic Assigned To => ludovic