Bug 20112

Summary: [SA35157] OCS Inventory NG Web Interface User Account Enumeration Weakness
Product: Sisyphus Reporter: Vladimir V. Kamarzin <vvk>
Component: ocsinventory-serverAssignee: zidex <zidex>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: normal    
Priority: P3 CC: combr, crux, pavel.zilke
Version: unstable   
Hardware: all   
OS: Linux   
Bug Depends on:    
Bug Blocks: 21309    

Description Vladimir V. Kamarzin 2009-05-20 08:38:53 MSD 
VERIFY ADVISORY:
http://secunia.com/advisories/35157/

DESCRIPTION:
A weakness has been reported in OCS Inventory NG, which can be
exploited by malicious people to potentially identify valid user
accounts.

The application's web interface returns different error messages
depending on whether an unsuccessful login attempt is performed with
a valid or invalid username. This can be exploited to potentially
identify valid usernames via multiple login attempts.

The weakness is reported in version 1.01. Other versions may also be
affected.

SOLUTION:
Edit the source code to ensure that a unique error message is
returned when an unsuccessful login attempt is made.

PROVIDED AND/OR DISCOVERED BY:
Reported by Will Aoki in a Debian bug report.

ORIGINAL ADVISORY:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529344
Comment 1 Pavel Zilke 2009-11-24 20:48:52 MSK 
Ошибка исправлена в версии 1.02.1-alt1