This is fixed in both AR System 6.03 and 7.0.x. The notice in the client is simply:
ARERR [623] Authentication failed user: johndoe, server: server123 The message does not indicate the validity of the user name. -David J. Easter Sr. Product Manager, Service Management Business Unit BMC Software, Inc. ________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Axton Sent: Tuesday, January 16, 2007 3:25 PM To: [email protected] Subject: Re: Remedy Vulnerability ** Enumeration implies a full list of accounts can be retrieved. This individual seems to have a track record of exploit discoveries: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0547.html http://www.security-express.com/archives/fulldisclosure/2004-09/0189.htm l http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/007 2.html http://www.securitytracker.com/alerts/2004/Feb/1009069.html and on and on... In any case, I've added it to the list on arswiki: http://arswiki.org/wiki/ARS_Vulnerabilities Axton Grams On 1/16/07, David Yearsley <[EMAIL PROTECTED]> wrote: ** One of our security people found this website http://www.securityfocus.com/bid/22066/discuss and is very. We have not been on version 5.01.02 for sometime and I was wondering if this vulnerability has been address in later version? Thanks for any information. __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
