lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <cf7ad8210904070551j46711af5m83c78d6c7861fa18@mail.gmail.com>
Date: Tue, 7 Apr 2009 14:51:00 +0200
From: Marco Mella <marco.mella@...utsecurity.net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: POC - Sun Java System Acccess Manager & Identity
	Manager Users Enumeration

============================================================
 Sun Java System Acccess Manager & Identity Manager Users Enumeration
============================================================

 Affected Software: Sun Java System Access Server, OpenSSo
                               Sun Java System Identity Manager

 Author: Marco Mella - marco[ dot ]mella[at]aboutsecurity[dot]net
 More information, Advisory and POC URL: http://www.aboutsecurity.net

Sun Java System Identity Manager Security Vulnerabilities
    Sun Java System Identity Manager 7.0
    Sun Java System Identity Manager 7.1
    Sun Java System Identity Manager 7.1.1
    Sun Java System Identity Manager 8.0
 Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Sun Java System Identity Manager
    Sun Java System Access Manager 6 2005Q1 (6.3)
    Sun Java System Access Manager 7 2005Q4 (7.0)
    Sun Java System Access Manager 7.1
 Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242026-1

 [Summary]

 A Security Vulnerability in Sun Java System Access Manager and Identity
Manager allow a Remote Unprivileged User to Determine the existence of
"guessed" UserID  facilitating brute-force attacks.


[Proof of Concept]
Simple POC for users enumeration on Access Manager and Identity Manager
available on http://www.aboutsecurity.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ