core
core copied to clipboard
owncloud
Observable Response Discrepancy - CWE - 204
Hello team, we did a pentest and was found a low vulnerability.
OWASP-Top10: A05:2021 – Security Misconfiguration CWE: CWE-204: Observable Response Discrepancy
Expected behaviour:
Not show information parameter: userId
Actual behaviour
When user write '/' and click reset password we have this information below: Parameter "userId" for route "core.lost.resetform" must match "[^/]++" ("/" given) to generate a corresponding URL
Environment general
Oracle Linux 8
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory
Environment ownCloud Infinite Scale
Version:10.12.2 (stable)
Regards, Fabio
Not show information parameter: userId
I fail to see any security related issue with this.
userId is a routing parameter and the related code is open source anyway
https://github.com/owncloud/core/blob/11076ecce92b44d82f18dcffa8696fa272410ea3/core/routes.php#L38
This is core 10.12.2
Sorry... was mislead by Environment ownCloud Infinite Scale in the description, but of course that was only because of the issue template.
Sorry, my bad, It is the first issue that I open. What I would like, is change the message to end user, like user not recognized or something like that.
Hello, I was thinking about this and for us is working in this way (avoid show route, etc): Add this javascript in /core/js/login.js and /core/js/lostpassword.js files.
$(document).ready(function() {
$('#submit').click(function(e) {
var userId = $('#user').val();
var invalidChars = ['/', '*', '&', '%', '+'];
var isInvalid = invalidChars.some(function(char) {
return userId.includes(char);
});
if (isInvalid || userId.length < 5) {
e.preventDefault();
alert('Invalid User');
$('#user').val('');
$('#password').val('');
}
});
});
I hope that this can help.
Regards, Fabio Lima