Attack Chain

1. An unauthenticated attacker identifies the existingUsernameCheck.php endpoint.
2. The attacker crafts a POST request to existingUsernameCheck.php with a username to check.
3. The attacker sends the POST request to the server.
4. The server processes the request and checks if the provided username exists in the database.
5. The server responds with a text response.
6. The attacker analyzes the response text for the presence of the string “taken”.
7. If “taken” is present, the attacker confirms the existence of the username.
8. The attacker repeats this process with different usernames to enumerate valid accounts.

Impact

Successful exploitation of this vulnerability allows attackers to enumerate valid usernames on the userSpice 4.3.24 platform. While this vulnerability does not directly lead to account compromise, the enumerated usernames can be used in conjunction with other attack vectors, such as password brute-forcing or targeted phishing campaigns, to gain unauthorized access to user accounts. The number of potential victims depends on the number of userSpice installations and the number of accounts on those installations.

Recommendation

• Apply available patches or upgrades to userSpice to versions beyond 4.3.24 to remediate CVE-2018-25350.
• Deploy the Sigma rule Detect userSpice Username Enumeration via existingUsernameCheck.php to your SIEM to identify potential enumeration attempts by monitoring POST requests to the vulnerable endpoint.
• Monitor web server logs for suspicious POST requests to existingUsernameCheck.php as described in the attack chain to identify and investigate potential username enumeration attempts.