Observable Response Discrepancy in osticket/osticket
Sep 28th 2021
The forgot password can be abused to leak possible usernames due to different responses returned when a user exists or a user does not.
Proof of Concept
1. Go to OSTICKET-SERVER]/htdocs/osticket/scp/pwreset.php 2. Key in a user which does not exist, the response is: "Unable to verify username" 3. Key in a user which exists, the response is: "A confirmation email has been sent"[
This vulnerability is capable of enumerating possible usernames on the application.
Application should give the following example response if either valid or invalid username is keyed in:
"If the user exists, a password reset email was sent to your email. Follow the link in the email to reset your password."