| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Jan 2007 11:09:22 +0100 From: "Davide Del Vecchio" <dante@...ghieri.org> To: bob@...rs.net Cc: bugtraq@...urityfocus.com Subject: Re: Remedy Action Request System 5.01.02 - User Enumeration Lee Rumble writes: > This has always been the case with the Remedy system which I use day in > and > day out. This is also present in older versions too and I have spoken with > them about this, but they do not deem this to be a security flaw. Hello Lee, if they think or not it is a security flaw, well, it's their opinion. I think that the possibility to enumerate users is a security flaw, and you? > Gaining access to the system itself has no real advantages either. It depends from what the system is used for. There are a lot of companies that use to attach important documents to the remedy tickets or use remedy to trace every activity. According to you, is it important to access the repository in which every activity has been traced ? Best regards, d. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" dante@...ghieri.org http://www.alighieri.org http://legaest.blogspot.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Powered by blists - more mailing lists