Bug 1918636

Summary: username enumeration from kinit in WebUI
Product: Red Hat Enterprise Linux 8 Reporter: Thorsten Scherf <tscherf>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: cbuissar, ftrivino, mpanaous, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Desktop, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 07:56:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2021-01-21 09:37:37 UTC
Description of problem:
t is possible to enumerate users in Web UI using the login function. The response from the
server when trying to log in as existing user is different than after using a non-existing
username.

Below you can find response for non-existing username.

Response:
HTTP/1.1 401 Unauthorized
Date: Wed, 02 Dec 2020 12:41:57 GMT
23
CONFIDENTIAL
Server: Apache
X-IPA-Rejection-Reason: invalid-password
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Cache-Control: no-cache, private
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 246
Connection: close
Content-Type: text/html; charset=utf-8
<html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>Invalid Authentication</h1>
<p>
<strong>kinit: Client 'testtest@$example_domain.com' not found in Kerberos database while getting initial credentials
</strong>
</p>
</body>
</html> 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
No exposure of valid usernames through the WebUI.

Additional info:

Comment 10 Trivino 2022-05-10 07:56:50 UTC
Attaching upstream ticket: https://pagure.io/freeipa/issue/9114

After evaluating this BZ, the behavior is the same for Kerberos protocol and all KDC implementations. Changing a message response over Web UI does not prevent all points to access it and, most importantly, does not solve the problem.