There are several known issues with Mid-Tier (cache ID reuse before cache timeout), not to mention CLIENT, and not to mention all the and others (ODBC, ..), however the only "validation" that this person has was in the message which was returned (which seems to vary from release to release)...
Invalid password for user ABC. This does NOT mean you "got into" the system, but got a response that some form of ID "seems to exist". Certain "security classes" will actually tell you it is GOOD to provide the response seeming that the "Account exists but password is invalid", which is easier to detect, because a true h4x0r will then use that account and start the password scans. Other security classes will tell you completely opposite. Is this something to "worry about" - definitely not. IMHO... That is why we use at the web-server "Integrated Windowz Authentication", and then ASP to check the DB and route the user under the covers automagically. In V7 we will be going completely Windowz Domain Controller authentication, so... The bigger issue is that "someone got onto your network" in order to get to mid-tier... Of course for those exposing ARSystem externally, should deploy a strong security model of DMZ, (bla bla..) Thanks-n-advance; HDT Platform Incident / Problem Manager & Architect Robert Molenda IT OS PA Tel: +1 408 501 6310 Fax: +1 408 501 2410 Mobile: +1 408 472 8097 [EMAIL PROTECTED] Quality begins with your actions. ________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Axton Sent: Tuesday, January 16, 2007 3:25 PM To: [email protected] Subject: Re: Remedy Vulnerability ** Enumeration implies a full list of accounts can be retrieved. This individual seems to have a track record of exploit discoveries: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0547.html http://www.security-express.com/archives/fulldisclosure/2004-09/0189.htm l http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/007 2.html http://www.securitytracker.com/alerts/2004/Feb/1009069.html and on and on... In any case, I've added it to the list on arswiki: http://arswiki.org/wiki/ARS_Vulnerabilities Axton Grams On 1/16/07, David Yearsley <[EMAIL PROTECTED]> wrote: ** One of our security people found this website http://www.securityfocus.com/bid/22066/discuss and is very. We have not been on version 5.01.02 for sometime and I was wondering if this vulnerability has been address in later version? Thanks for any information. __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
