CVE-2024-12483 - Insecure Direct Object Reference (IDOR) in Dromara UJCMS 9.6.3 Allows Username Enumeration via User ID manipulation
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in UJCMS version 9.6.3 that allows unauthenticated enumeration of usernames through the manipulation of the user id parameter in the /users/id endpoint. While the user IDs are generally large numbers (e.g., 69278363520885761), with the exception of the admin and anonymous account, unauthenticated attackers can still systematically discover usernames of existing accounts.
- Endpoint:
/users/id - Application Version: 9.6.3
CWE-639: Authorization Bypass Through User-Controlled Key
User enumeration
- Access the application as an unauthenticated user.
- For local testing, visit http://localhost:8080/users/id, replacing id with any arbitrary integer.
- If a user id is invalid, the response will contain "User not found. ID: your supplied ID"
- Repeat the process with different id values to enumerate valid usernames.
The application fails to implement proper access controls on the /users/id endpoint. This allows any unauthenticated users to enumerate usernames associated with arbitrary id values.
- Authorization Checks: Validate that the requesting user is authorized to access the page associated with the provided id.
- Randomized Identifiers: Replace numeric user IDs with opaque, non-predictable identifiers such as UUIDs.
- Generic Error Responses: Avoid exposing usernames in responses. Return generic error messages like 403 Forbidden or 404 Not Found for unauthorized requests.
- Rate Limiting: Implement rate-limiting mechanisms to reduce the risk of automated enumeration attacks.