0
Under review

Security concern: User Accounts Enumeration

Mendy S 7 months ago updated 7 months ago 2

Security concern: User Accounts Enumeration


When using LDAP as the user source, the application's response during authentication requests allows an unauthenticated attacker to enumerate valid accounts. 


The responses contain variations when authentication failures occur.


By evaluating these differences, an attacker can enumerate users from a company's domain using scripts and automated tools.

Reference

Testing for User Enumeration and Guessable User Account (OWASP-AT-002) - OWASP

Proof of Concept

When trying to authenticate with an invalid username,

The system responds with "Invalid credentials. Please try again."


When trying to authenticate with a Valid username,

The system responds with "Password has expired; contact your system administrator to change your password and try again."

ConnectWise Control Version:
20.9
Server Affected:
Host Client Affected:
Guest Client Affected:
OS:

Answer

Answer

Hi Mendy, 

Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.

Answer

Hi Mendy, 

Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.

I did that.

I'm just bringing this up as a potential security concerns that should be corrected for everyone