LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

Title: LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness
Advisory ID: ZSL-2018-5451
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 11.02.2018
Summary
LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.
Description
The weakness is caused due to the 'j_spring_security_check' script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected node.
Vendor
LogicalDOC Srl - https://www.logicaldoc.com
Affected Version
7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Tested On
Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vendor Status
[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.
PoC
logicaldoc_enum.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2018020151
[2] https://packetstormsecurity.com/files/146353
[3] https://www.exploit-db.com/exploits/44019/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/139088
Changelog
[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk