Flyspray username information disclosure
| flyspray-username-information-disclosure (40964) |  Low Risk |
Description:
Flyspray could allow a local attacker to obtain sensitive information, caused by the return of varied error messages when an invalid login attempt is made via a valid or invalid username. A remote attacker could exploit this vulnerability using brute force attacks to enumerate valid usernames and gain unauthorized access to the system.
Platforms Affected:
- Flyspray, Flyspray 0.9.9.4
Remedy:
No remedy available as of March 2008.
Consequences:
Obtain Information
References:
- Flyspray Security Announcement 3, Flyspray Cross Site Scripting Vulnerabilities at http://flyspray.org/fsa:3.
- Flyspray Web site, Flyspray at http://flyspray.org/.
- BID-28076: Flyspray Multiple Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities
- CVE-2008-1166: Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- SA29215: Flyspray Cross-Site Scripting and User Enumeration
Reported:
Mar 03, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net