View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002198 | SOGo | Web General | public | 2013-01-26 15:09 | 2013-07-29 14:49 |
Reporter | mgs | Assigned To | ludovic | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | duplicate | ||
Product Version | 2.0.4 | ||||
Summary | 0002198: User Enumeration and Guessable User Account with SOGo web interface | ||||
Description | (Please also see https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29) It is possible to build a list of (active) accounts or e-mail addresses due to a difference in responses to unauthenticated requests when visiting valid/invalid userURL's in SOGo. Thus, with knowledge of an email-address or account naming policy (depending on the configuration) I could programatically retrieve a list of available accounts by crawling URL's. Please always return the login interface for unauthenticated users. | ||||
Additional Information | Tested on 2.0.3a and 2.0.4 | ||||
Tags | No tags attached. | ||||