Xpede datasource.asp reveals database account name
| xpede-datasource-reveal-account (8902) |  Medium Risk |
Description:
Intellisol Xpede could allow a remote attacker to send a request for the datasource.asp file to obtain a valid database account name. In addition, the request also allows the attacker to change the user's password using a brute-force attack.
Consequences:
Gain Access
Remedy:
No remedy available as of June 1, 2013.
References:
- BugTraq Mailing List, Fri Apr 19 2002 - 10:46:23 CDT: Xpede many vulnerabilities.
- WorkforceROI Web site: WorkforceROI Corp.
- BID-4553: XPede DataSource.ASP Information Disclosure Vulnerability
- CVE-2002-0580: WorkforceROI Xpede 4.1 allows remote attackers to obtain the database username via a request to datasource.asp, which leaks the username in a form and allows the attacker to more easily conduct brute force password guessing attacks.
- OSVDB ID: 11908: WorkforceROI Xpede datasource.asp Database Username Disclosure
Platforms Affected:
- WorkforceROI Intellisol Xpede 4.1
Reported:
Apr 19, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this