lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2007 11:09:22 +0100
From: "Davide Del Vecchio" <dante@...ghieri.org>
To: bob@...rs.net
Cc: bugtraq@...urityfocus.com
Subject: Re: Remedy Action Request System 5.01.02 - User Enumeration

Lee Rumble writes: 

> This has always been the case with the Remedy system which I use day in 
> and
> day out. This is also present in older versions too and I have spoken with
> them about this, but they do not deem this to be a security flaw. 

Hello Lee, 

if they think or not it is a security flaw, well, it's their opinion.
I think that the possibility to enumerate users is a security flaw, and you? 

> Gaining access to the system itself has no real advantages either.

It depends from what the system is used for. There are a lot of companies
that use to attach important documents to the remedy tickets or use remedy
to trace every activity. According to you, is it important to access the
repository in which every activity has been traced ? 

Best regards, 

d. 

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" dante@...ghieri.org
http://www.alighieri.org http://legaest.blogspot.com
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Powered by blists - more mailing lists