Bug 20112 - [SA35157] OCS Inventory NG Web Interface User Account Enumeration Weakness
Summary: [SA35157] OCS Inventory NG Web Interface User Account Enumeration Weakness
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: ocsinventory-server (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: zidex@altlinux.org
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks: 21309
  Show dependency tree
 
Reported: 2009-05-20 08:38 MSD by Vladimir V. Kamarzin
Modified: 2009-11-24 20:48 MSK (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir V. Kamarzin 2009-05-20 08:38:53 MSD 
VERIFY ADVISORY:
http://secunia.com/advisories/35157/

DESCRIPTION:
A weakness has been reported in OCS Inventory NG, which can be
exploited by malicious people to potentially identify valid user
accounts.

The application's web interface returns different error messages
depending on whether an unsuccessful login attempt is performed with
a valid or invalid username. This can be exploited to potentially
identify valid usernames via multiple login attempts.

The weakness is reported in version 1.01. Other versions may also be
affected.

SOLUTION:
Edit the source code to ensure that a unique error message is
returned when an unsuccessful login attempt is made.

PROVIDED AND/OR DISCOVERED BY:
Reported by Will Aoki in a Debian bug report.

ORIGINAL ADVISORY:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529344
Comment 1 Pavel Zilke 2009-11-24 20:48:52 MSK 
Ошибка исправлена в версии 1.02.1-alt1