CVE-2023-36127
📋 TL;DR
CVE-2023-36127 is a user enumeration vulnerability in PHPJabbers Appointment Scheduler 3.0 that allows attackers to determine valid usernames via password recovery responses. This enables targeted brute force attacks against valid accounts. Organizations using PHPJabbers Appointment Scheduler 3.0 are affected.
💻 Affected Systems
- PHPJabbers Appointment Scheduler
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid users, then perform credential stuffing or brute force attacks to compromise accounts, potentially gaining unauthorized access to appointment data and administrative functions.
Likely Case
Attackers identify valid user accounts and perform targeted password attacks, compromising some user accounts to access appointment information.
If Mitigated
With rate limiting and proper authentication controls, impact is limited to user enumeration without successful account compromise.
🎯 Exploit Status
The vulnerability is simple to exploit by comparing password recovery response messages. Public proof-of-concept exists in the referenced Medium article.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check PHPJabbers for updated version
Vendor Advisory: https://www.phpjabbers.com/
Restart Required: No
Instructions:
1. Check PHPJabbers website for security updates
2. Download and apply the latest patch
3. Verify password recovery returns consistent messages regardless of user existence
🔧 Temporary Workarounds
Disable Password Recovery
allTemporarily disable password recovery functionality to prevent exploitation
Modify PHP code to remove or comment out password recovery endpoints
Implement Rate Limiting
allAdd rate limiting to password recovery requests
Configure web server or application rate limiting for /index.php?controller=pjUser&action=pjActionForgot
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block user enumeration patterns
- Monitor logs for excessive password recovery attempts and implement alerting
🔍 How to Verify
Check if Vulnerable:
Test password recovery with valid and invalid usernames - if response messages differ, system is vulnerableCheck Version:
Check PHPJabbers Appointment Scheduler version in admin panel or configuration filesVerify Fix Applied:
Verify password recovery returns identical response messages for both existing and non-existing users📡 Detection & Monitoring
Log Indicators:
- Multiple failed password recovery attempts from single IP
- Pattern of username guessing in password recovery logs
Network Indicators:
- Unusual volume of POST requests to password recovery endpoint
- Sequential username attempts in HTTP traffic
SIEM Query:
source="web_logs" AND (uri="*pjActionForgot*" OR uri="*password*recovery*") | stats count by src_ip, user_agent | where count > 10