ChurchCRM Username Enumeration Vulnerability in Public API Login Endpoint

A username enumeration vulnerability has been identified in ChurchCRM versions prior to 7.2.0. The issue arises in the public API login endpoint, which returns different HTTP response codes based on the existence of a username. A 404 status is issued for non-existent users, while a 401 status is given for valid users with incorrect passwords. This discrepancy allows an unauthenticated attacker to systematically identify valid usernames without facing any rate limiting or account lockout. The vulnerability has been patched in version 7.2.0.

Impact

Exploitation of this vulnerability allows for username enumeration, which could facilitate targeted brute-force attacks on user accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/public/user/login' endpoint with a non-existent username. The response will indicate a 404 status. Next, send a request with an existing username and an incorrect password, which will return a 401 status. This differential response can be automated with a script to enumerate valid usernames.

Remediation

Users can upgrade to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed.