Exploit Title : CWP (CentOS Control Web Panel) User enumerate through HTTP response time Date : 15 Jul 2019 Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage : https://control-webpanel.com/ Software Link : Not available, user panel only available for lastest version Version : 0.9.8.848 Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit) CVE-Number : CVE-2019-13599 Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13599.md # Description In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times # PoC 1. Login with valid user and invalid password, the server response time is about 250ms 2. Login with an invalid user and invalid password, the server response time is about 180ms *The response time are also depend on the network speed. but however, when we log in with valid and invalid username, the response time will be different