← Advisories

IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration

Low

Advisory ID

ZSL-2021-5658

Release Date

28 July 2021

Vendor

IntelliChoice, Inc. - https://www.eforcesoftware.com

Affected Version

2.5.9.6, 2.5.9.5, 2.5.9.3, 2.5.9.2, 2.5.9.1, 2.5.8.0, 2.5.7.20, 2.5.7.18, 2.5.6.18, 2.5.4.6, 2.5.3.11

CVE

N/A

Tested On

Microsoft-IIS/10.0, Microsoft-IIS/8.5, ASP.NET/4.0.30319

Summary

IntelliChoice is a United States software company that was founded in 2003, and offers a software title called eFORCE Software Suite. eFORCE Software Suite is law enforcement software, and includes features such as case management, court management, crime scene management, criminal database, dispatching, evidence management, field reporting, scheduling, court management integration, certification management, and incident mapping. With regards to system requirements, eFORCE Software Suite is available as SaaS, Windows, iPhone, and iPad software.

Description

The weakness is caused due to the login script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected application via 'ctl00$MainContent$UserName' POST parameter.

Proof of Concept

eforce_usrenum.txtTXT

Disclosure Timeline

03.05.2021Vulnerability discovered.

15.07.2021Vendor contacted.

27.07.2021No response from the vendor.

28.07.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/50164

[2]https://packetstormsecurity.com/files/163705/

[3]https://cxsecurity.com/issue/WLB-2021070171

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/206479

Changelog

28.07.2021Initial release

30.07.2021Added reference [1] and [2]

02.08.2021Added reference [3] and [4]