Executive Summary

This vulnerability exists in ChurchCRM versions prior to 7.2.0. The public API login endpoint (/api/public/user/login) returns different HTTP response codes depending on whether a username exists or not: it returns 404 for non-existent users and 401 for valid users with incorrect passwords. Because of this behavior, an unauthenticated attacker can determine which usernames are valid by observing the response codes. Additionally, there is no rate limiting or account lockout to prevent repeated attempts, making it easier to enumerate valid usernames.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker to enumerate valid usernames on the ChurchCRM system without authentication. This can lead to targeted attacks such as phishing, social engineering, or brute force password attempts on known usernames. Since there is no rate limiting or account lockout, attackers can automate this process efficiently, increasing the risk of unauthorized access or information disclosure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing the HTTP response codes returned by the ChurchCRM public API login endpoint (/api/public/user/login). Specifically, sending login requests with different usernames and analyzing the response codes can reveal whether a username exists.

• Send a login request with a non-existent username and note if the response code is 404.
• Send a login request with a valid username but incorrect password and note if the response code is 401.

Commands using curl to test this could be:

• curl -X POST -d '{"username":"nonexistentuser","password":"any"}' -H "Content-Type: application/json" http://yourchurchcrm/api/public/user/login -i
• curl -X POST -d '{"username":"validuser","password":"wrongpassword"}' -H "Content-Type: application/json" http://yourchurchcrm/api/public/user/login -i

Comparing the HTTP status codes from these requests can help detect if the system is vulnerable to username enumeration.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.2.0 or later, where this issue has been fixed.

Until the upgrade can be applied, consider implementing rate limiting and account lockout mechanisms on the login endpoint to reduce the risk of automated username enumeration.

Additionally, avoid exposing detailed HTTP response codes that differentiate between non-existent usernames and incorrect passwords.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an unauthenticated attacker to enumerate valid usernames through the public API login endpoint by observing different HTTP response codes.

Such username enumeration can increase the risk of targeted attacks on user accounts, potentially leading to unauthorized access or data exposure.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to enumerate usernames may impact compliance by exposing user identity information, which is considered personal data under GDPR.

This exposure could be viewed as a failure to adequately protect user data, which is a requirement under many data protection regulations.

Useful 0 Not Useful 0