Under review

Security concern: User Accounts Enumeration

4 months ago • updated 3 months ago • 2

Security concern: User Accounts Enumeration

When using LDAP as the user source, the application's response during authentication requests allows an unauthenticated attacker to enumerate valid accounts.

The responses contain variations when authentication failures occur.

By evaluating these differences, an attacker can enumerate users from a company's domain using scripts and automated tools.

Reference

Testing for User Enumeration and Guessable User Account (OWASP-AT-002) - OWASP

Proof of Concept

When trying to authenticate with an invalid username,

The system responds with "Invalid credentials. Please try again."

When trying to authenticate with a Valid username,

The system responds with "Password has expired; contact your system administrator to change your password and try again."

ConnectWise Control Version:

20.9

Server Affected:

Host Client Affected:

Guest Client Affected:

Vote

Answer

4 months ago

Hi Mendy,

Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.

Replies 2
Oldest first
- Newest first
- Oldest first

Answer

4 months ago

Hi Mendy,

Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.

3 months ago

I did that.

I'm just bringing this up as a potential security concerns that should be corrected for everyone

Customer support service by UserEcho

Security concern: User Accounts Enumeration

Answer

Replies 2