osTicket User Enumeration Vulnerability in pwreset.php

A user enumeration vulnerability exists in osTicket version 1.18.2 within the pwreset.php file. This vulnerability allows remote attackers to identify valid usernames registered on the platform. The issue arises from a timing discrepancy in server responses when processing password reset requests, which can be exploited to infer the existence of usernames.

Impact

Exploitation of this vulnerability allows for user enumeration, enabling attackers to identify valid usernames. This can lead to targeted attacks such as credential stuffing, phishing, or brute-force login attempts, significantly increasing the risk of account compromise.

Reproduction

To reproduce this vulnerability, first ensure that the SMTP email service is configured. Then, send password reset requests through the pwreset.php page. Intercept these requests using a tool like Burp Suite. Analyze the response times: requests for valid usernames will take several seconds as the application processes the email delivery, while requests for invalid usernames will return almost instantly. This timing difference can be exploited to create a list of valid usernames.

Remediation

Users are advised to upgrade to osTicket version 1.18.3 or later, where this vulnerability has been fixed. The patch introduces a minimum response time for password reset requests, ensuring that both valid and invalid usernames are treated equally in terms of response latency.