20112 2009-05-20 08:38:53 +0400 [SA35157] OCS Inventory NG Web Interface User Account Enumeration Weakness 2009-11-24 20:48:52 +0300 1 1 4 Development Sisyphus ocsinventory-server unstable all Linux CLOSED FIXED P3 normal --- 21309 1 vvk zidex combr crux pavel.zilke qa-sisyphus oldest_to_newest 91549 0 vvk 2009-05-20 08:38:53 +0400 VERIFY ADVISORY: http://secunia.com/advisories/35157/ DESCRIPTION: A weakness has been reported in OCS Inventory NG, which can be exploited by malicious people to potentially identify valid user accounts. The application's web interface returns different error messages depending on whether an unsuccessful login attempt is performed with a valid or invalid username. This can be exploited to potentially identify valid usernames via multiple login attempts. The weakness is reported in version 1.01. Other versions may also be affected. SOLUTION: Edit the source code to ensure that a unique error message is returned when an unsuccessful login attempt is made. PROVIDED AND/OR DISCOVERED BY: Reported by Will Aoki in a Debian bug report. ORIGINAL ADVISORY: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529344 103543 1 pavel.zilke 2009-11-24 20:48:52 +0300 Ошибка исправлена в версии 1.02.1-alt1