# CVE-2022-44023

## <mark style="color:yellow;">CVE Detail</mark>

PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts.

<table><thead><tr><th width="111">Product</th><th width="175">CVE</th><th width="163">Owner</th><th width="175">CVSSv3 Score</th><th>CWE</th></tr></thead><tbody><tr><td><a href="https://github.com/pwndoc/pwndoc/issues/382">pwndoc</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-44023">CVE-2022-44023</a></td><td><a href="https://nstsec.com">Lorenzo Anastasi</a></td><td><mark style="background-color:orange;"><strong>5.3 Medium</strong></mark></td><td><a href="https://cwe.mitre.org/data/definitions/307.html">CWE-307</a></td></tr></tbody></table>

## <mark style="color:yellow;">Exploitation Steps</mark>

It is possible to enumerate "disabled account" usernames in PwnDoc (tested on 0.5.3 - 2022-07-19) observing the web server responses to login requests.\
For example, let's suppose these users were registered on PwnDoc and then disabled:

<figure><img src="https://user-images.githubusercontent.com/43656486/197575082-75aa6a5b-a6d1-42d5-812a-d7c187f290d5.png" alt=""><figcaption></figcaption></figure>

Trying to log in with one of these disabled users in fact the application responds with the message "Account disabled".

<figure><img src="https://user-images.githubusercontent.com/43656486/197575370-dc703a4a-1b7c-441f-b7d4-e0daa76f01cd.png" alt=""><figcaption></figcaption></figure>

Client request and server response:<br>

<figure><img src="https://user-images.githubusercontent.com/43656486/197575737-eb306e25-72e4-4038-8d6c-8d68a517a593.png" alt=""><figcaption></figcaption></figure>

Trying to log in with a user who does not exist, the application responds with "Invalid credentials":

<figure><img src="https://user-images.githubusercontent.com/43656486/197577964-54e66c72-ef86-4159-b32a-0e01c6e69470.png" alt=""><figcaption></figcaption></figure>

This server behavior can be exploited to enumerate disabled users on the platform, who may be re-enabled by an admin and used again in the future.

By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect all the "Account disabled" server's responses and exclude the "Invalid credentials" ones.

<figure><img src="https://user-images.githubusercontent.com/43656486/197577080-a04374ec-70fc-4ab8-b15c-e8e19b84927e.png" alt=""><figcaption></figcaption></figure>

The standard recommendation to mitigate this vulnerability is to return identical responses for “valid user/wrong password” and “invalid user” login requests.