Events
-
PCI DSS User Group meeting
Neira Jones will be speaking on Barclaycards current approach to PCI and offering advice and guidance to merchants.
Click here to see more events.
Vulnerabilities 2006
PR06-02 SiteScape Forum username enumeration
- Advisory publicly released: Thursday, 25 May 2006
- Vulnerability found: Monday, 23 January 2006
- Severity level: Medium
-
Credits
Richard Brain of ProCheckUp Ltd (www.procheckup.com) -
Description
The SiteScape Forum program, 'dispatch.cgi/_user/uservCard/', allows the enumeration of valid usernames through differing responses to requests.
When a user requests a URL such as the following:
http://[target]/forum/dispatch.cgi/_user/uservCard/[valid username]/
A vCard containing the user's information is downloaded.
If an invalid username is queried, an Internal Error is triggered, e.g.:
"SiteScape Enterprise Forum Internal Error." -
Proof of concept
-
How to fix
Please contact SiteScape to obtain the necessary patches. -
Consequences
The successful enumeration of valid usernames may allow attackers to perform password attacks against known user accounts. -
CVE reference
CVE-2006-2676 -
Vulnerable
7.2 and possibly earlier versions. -
References
-
Legal
Copyright 2006 ProCheckUp Ltd.
All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited.
ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.