Security concern: User Accounts Enumeration
When using LDAP as the user source, the application's response during authentication requests allows an unauthenticated attacker to enumerate valid accounts.
The responses contain variations when authentication failures occur.
By evaluating these differences, an attacker can enumerate users from a company's domain using scripts and automated tools.
Proof of Concept
When trying to authenticate with an invalid username,
The system responds with "Invalid credentials. Please try again."
When trying to authenticate with a Valid username,
The system responds with "Password has expired; contact your system administrator to change your password and try again."
Customer support service by UserEcho