On Mon, May 18, 2009 at 01:25:30PM -0600, Will Aoki wrote: > Package: ocsinventory-reports > Version: 1.01-6 > Severity: normal > Tags: security > > The OCS Inventory web interface returns one error if one enters an > invalid username but a different error if one enters a valid username > with an invalid password -- in the English translation, the messages are > "User not registered" and "Password error". This type of behavior is > generally considered a problem because it permits an attacker to > determine whether usernames are valid. >
Hi, Yes, this can eventually lead to finding whether an user is valid or not. You'll also discover that the admin user is .. admin ! Seriously, while I agree on what you say, the tag 'security' seems a bit strong to me. Especially given that the README.Debian advises to give access even to the login window only to authenticated users (Apache auth, for ex). Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
