Package: ocsinventory-reports Version: 1.01-6 Severity: normal Tags: security
The OCS Inventory web interface returns one error if one enters an invalid username but a different error if one enters a valid username with an invalid password -- in the English translation, the messages are "User not registered" and "Password error". This type of behavior is generally considered a problem because it permits an attacker to determine whether usernames are valid. -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ocsinventory-reports depends on: ii apache2 2.2.9-10+lenny2 Apache HTTP Server metapackage ii apache2-mpm-prefor 2.2.9-10+lenny2 Apache HTTP Server - traditional n ii dbconfig-common 1.8.39 common framework for packaging dat ii debconf [debconf-2 1.5.24 Debian configuration management sy ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5 ii ucf 3.0016 Update Configuration File: preserv Versions of packages ocsinventory-reports recommends: ii libdbd-mysql-perl 4.007-1 A Perl5 database interface to the ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu ii libnet-ip-perl 1.25-2 Perl extension for manipulating IP ii libxml-simple-perl 2.18-1 Perl module for reading and writin ii nmap 4.62-1 The Network Mapper ii ocsinventory-serve 1.01-6 Hardware and software inventory to ii php5-gd 5.2.6.dfsg.1-1+lenny3 GD module for php5 ii samba-common 2:3.2.5-4lenny2 Samba common files used by both th ocsinventory-reports suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
