ApostropheCMS Timing Side-Channel Vulnerability in Password Reset Endpoint Allows Username and Email Enumeration

A timing side-channel vulnerability has been identified in ApostropheCMS versions 4.28.0 and prior, specifically in the password reset endpoint. This vulnerability allows unauthenticated attackers to enumerate valid usernames and email addresses. The issue arises because the endpoint introduces a fixed 2-second delay when a user is not found, but fails to normalize response times when a valid user is identified. As a result, attackers can exploit this timing difference to determine the validity of usernames or email addresses. The vulnerability is present in instances where the password reset option is enabled, as it defaults to false.

Impact

Exploitation of this vulnerability allows for unauthenticated username and email enumeration, with potential for credential stuffing or targeted phishing attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the password reset endpoint with either a nonexistent email or username. The response will take approximately 2 seconds. Then, send a request with a valid email or username, and observe the response time, which will be noticeably faster or slower, depending on the SMTP server used. This timing difference can be used to confirm the validity of the account.

Remediation

Update to ApostropheCMS version 4.29.0, which normalizes response times in the password reset flow to prevent user enumeration.