WebCalendar Username Enumeration Vulnerability
BID:17853
Info
WebCalendar Username Enumeration Vulnerability
| Bugtraq ID: | 17853 |
| Class: | Design Error |
| CVE: |
CVE-2006-2247 |
| Remote: | Yes |
| Local: | No |
| Published: | May 05 2006 12:00AM |
| Updated: | Jul 10 2006 10:58PM |
| Credit: | David Maciejak is credited with the discovery of this vulnerability. |
| Vulnerable: |
k5n WebCalendar 1.0.3 k5n WebCalendar 1.0.2 k5n WebCalendar 1.0.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 |
| Not Vulnerable: | |
Discussion
WebCalendar Username Enumeration Vulnerability
WebCalendar is prone to a username-enumeration vulnerability. This issue is due to a design error in the application when verifying user-supplied input.
Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
WebCalendar is prone to a username-enumeration vulnerability. This issue is due to a design error in the application when verifying user-supplied input.
Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
Exploit / POC
WebCalendar Username Enumeration Vulnerability
This issue can be exploited with a web client.
This issue can be exploited with a web client.
Solution / Fix
WebCalendar Username Enumeration Vulnerability
Solution:
Reports indicate that this issue will be addressed in the upcoming 1.1 version of the application; Symantec has not confirmed this. Please see the references for more information and vendor advisories.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Reports indicate that this issue will be addressed in the upcoming 1.1 version of the application; Symantec has not confirmed this. Please see the references for more information and vendor advisories.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected].
References
WebCalendar Username Enumeration Vulnerability
References:
References:
- WebCalendar Home Page (WebCalendar)
- Re: WebCalendar User Account Enumeration Weakness (David Maciejak)
- WebCalendar User Account Enumeration Weakness (David Maciejak)