PR04-13: Ringtail Casebook 6.1.0 Information Disclosure vulnerability
Ringtail CaseBook version 6.1.0 and possibly earlier versions disclose information about valid usernames in login.asp.
Date Found: 7th April 2004
Date Public: 1st November 2005 (see notes)
Vulnerable: Ringtail CaseBook version 6.1.0 and possibly earlier versions
Severity: Medium
Authors: Gemma Hughes of ProCheckUp Ltd
Description:
Ringtail CaseBook version 6.1.0 and possibly earlier versions disclose information about valid usernames. Due to a difference in the error messages received when entering valid and invalid usernames into the login page without correct passwords, an attacker can enumerate valid usernames for the system, hence making possible password cracking attacks more easy.
Information:
The exploit code for this vulnerability has been withheld while clients consult the vendor to resolve the issue.
Notes:
This sensitive information may aid an attacker in executing a successful password cracking attack.
This advisory was originally sent to the CERT/CC in April 2004 with no action taken. Following consultation with UK NISCC, ProCheckUp have now published the advisory via Security Focus.
Consequences:
An attacker can enumerate valid usernames for the system, hence making possible password cracking attacks more easy.
Fix:
FTI Ringtail advise clients to upgrade to v2005 to address this and other security issues.
For further details please contact your support partner or FTI Ringtail via support@ringtailsolutions.com.
Legal:
Copyright 2005 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community
for the purpose of alerting them to problems, if and only if, the Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
|
