lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201301171838.r0HIcDW6014190@sf01web2.securityfocus.com>
Date: Thu, 17 Jan 2013 18:38:13 GMT
From: jason.doyle@...hnetsecurity.com
To: bugtraq@...urityfocus.com
Subject: CVE-2012-6452 Axway Secure Messenger Username Disclosure

Product: Axway Email Firewall
Component: Secure Messenger
Vendor: Axway
Vulnerable Version(s): 6.5 and earlier on the Email Firewall (EMF) platform only
Tested Version: 6.3.2 (Build 4230)
Vendor Notification: December 8, 2012 
Vendor Patch: Secure Messenger version 6.5.0 Updated Release 7
Public Disclosure: January 17, 2013
Vulnerability Type: Username Disclosure
CVE Reference: CVE-2012-6452
Solution Status: Fixed by Vendor
Credit: Jason Doyle / FishNet Security
 
Advisory Details:
When authenticating to Secure Messenger on Axway's Email Firewall, vulnerable versions return different HTTP header responses for users that exist and users that do not exist when an incorrect password is supplied. Specifically, two (2) JSESSIONIDs are returned for valid users, and one (1) for invalid users.
 
Solution:
Upgrade to Secure Messenger version 6.5 Updated Release 7, or migrate to Axway MailGate 5.2.0 (or later) for the equivalent functionality.
 
Contact:
support.axway.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ