GHSA-7w52-7jvm-m9vw
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Details
### Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack.
### Details The faulty code exists in [`src/Core/Framework/Api/OAuth/UserRepository.php`](https://github.com/shopware/shopware/blob/trunk/src/Core/Framework/Api/OAuth/UserRepository.php): ``` public function getUserEntityByUserCredentials( string $username, #[\SensitiveParameter] string $password, string $grantType, ClientEntityInterface $clientEntity ): ?UserEntityInterface { if ($this->loginConfigService->getConfig()?->useDefault === false) { // never allow login via password if the default login is disabled (e.g. using SSO only) return null; }
$builder = $this->connection->createQueryBuilder(); $user = $builder->select('user.id', 'user.password') ->from('user') ->where('username = :username') ->setParameter('username', $username) ->fetchAssociative();
// PATH 1: EARLY RETURN WHEN USERNAME IS NOT FOUND if (!$user) { return null; }
// PATH 2: VERIFY PASSWORD IF USER IS FOUND if (!password_verify($password, (string) $user['password'])) { return null; }
return new User(Uuid::fromBytesToHex($user['id'])); } ```
Subroutine `getUserEntityByUserCredentials()` is called when an auth request is send to `api/oauth/token`. If the given username is not found an early return is done (PATH 1). Only if the user is found we verify the password using `password_verify`.
PHP method `password_verify` by default uses hashing algorithm Argon2id which by design is intentionally 'slow' by introducing a timing cost to an attempt to bruteforce hashes more costly.
Since `password_verify` has a notable executable time, PATH 2 where an user is found and verified will be slower on average then PATH 1 where we do an early return for non-existing users.
### Proposed fix Before doing the early return, `password_verify` a dummy hash.
### Impact 1. More targeted dictionary/bruteforce attacks. 2. Spear phishing / eases social engineering. 3. Credential stuffing from other data leaks.
### Authors Niel Duysters (@NielDuysters) and Thomas Brankaer (@tbrankaer)
Are you affected?
Enter the version of the package you're using.
Affected packages
6.7.0.0 Fixed in: 6.7.10.1 composer require shopware/platform:^6.7.10.1 0 Fixed in: 6.6.10.18 composer require shopware/platform:^6.6.10.18 6.7.0.0 Fixed in: 6.7.10.1 composer require shopware/core:^6.7.10.1 0 Fixed in: 6.6.10.18 composer require shopware/core:^6.6.10.18 References
- https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-48011 [ADVISORY]
- https://github.com/shopware/shopware [PACKAGE]
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18 [WEB]
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1 [WEB]