CVE-2019-13599: CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.848 User Enumeration ≈ Packet Storm

Exploit Title       : CWP (CentOS Control Web Panel) User enumerate through HTTP response timeDate                : 15 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.848Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-13599Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13599.md# DescriptionIn CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times# PoC1. Login with valid user and invalid password, the server response time is about 250ms2. Login with an invalid user and invalid password, the server response time is about 180ms*The response time are also depend on the network speed. but however, when we log in with valid and invalid username, the response time will be different