ID CVE-2009-1076 Type cve Reporter cve@mitre.org Modified 2009-03-25T15:30:00
Description
Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differently to failed use of the end-user question-based login feature depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
{"nessus": [{"lastseen": "2020-12-23T13:43:55", "description": "The version of Sun Java System Identity Manager running on the remote\nhost has the following account enumeration vulnerabilities :\n\n- The error message for a failed login attempt is different,\n depending on whether or not a valid username was given.\n\n- Requesting IDMROOT/questionLogin.jsp?accountId=USERNAME results in\n different results, depending on whether USERNAME is valid.\n\nA remote attacker could use these to enumerate valid usernames,\nwhich could be used to mount further attacks.\n\nThere are also other issues known to be associated with this version\nof Identity Manager that Nessus has not tested for. Refer to Sun\nSecurity Alert #253267 for more information.", "edition": 24, "published": "2009-04-28T00:00:00", "title": "Sun Java System Identity Manager Account Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1076", "CVE-2009-1075"], "modified": "2009-04-28T00:00:00", "cpe": ["cpe:/a:sun:java_system_identity_manager"], "id": "SUN_IDM_ACCT_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/38198", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(38198);\n script_version(\"1.17\");\n\n script_cve_id(\"CVE-2009-1075\", \"CVE-2009-1076\");\n script_bugtraq_id(34191);\n script_xref(name:\"Secunia\", value:\"34380\");\n\n script_name(english:\"Sun Java System Identity Manager Account Disclosure\");\n script_summary(english:\"Checks if the application is leaking information\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote host is running a web application with information\ndisclosure vulnerabilities.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of Sun Java System Identity Manager running on the remote\nhost has the following account enumeration vulnerabilities :\n\n- The error message for a failed login attempt is different,\n depending on whether or not a valid username was given.\n\n- Requesting IDMROOT/questionLogin.jsp?accountId=USERNAME results in\n different results, depending on whether USERNAME is valid.\n\nA remote attacker could use these to enumerate valid usernames,\nwhich could be used to mount further attacks.\n\nThere are also other issues known to be associated with this version\nof Identity Manager that Nessus has not tested for. Refer to Sun\nSecurity Alert #253267 for more information.\" );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://blogs.sun.com/security/entry/sun_alert_253267_sun_java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://download.oracle.com/sunalerts/1020159.1.html\"\n );\n script_set_attribute( attribute:\"solution\", value:\n\"The vendor has made a patch available. It fixes other unrelated\nvulnerabilities, but only partially addresses this issue. At this\ntime, there is no known comprehensive solution.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sun:java_system_identity_manager\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(200, 255);\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2009/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2009/04/28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_idm_detect.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('http.inc');\n\n\nfake_user = string(SCRIPT_NAME, \"-\", unixtime());\n\nport = get_http_port(default:80, embedded: 0);\n\n# Only does the check if Sun IDM was already detected on the remote host\ninstall = get_kb_item(string(\"www/\", port, \"/sun_idm\"));\nif (isnull(install)) exit(0);\n\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\n\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Tries to get prompted for the security question of a nonexistent user.\n url = string(dir, \"/questionLogin.jsp?accountId=\", fake_user);\n res = http_send_recv3(\n method:\"GET\",\n item:url,\n port:port,\n follow_redirect:1\n );\n\n if (isnull(res)) exit(0);\n\n # If the server explicitly says the user does not exist,\n # this host is vulnerable\n if ('The specified user was not found.' >< res[2])\n {\n security_warning(port);\n exit(0);\n }\n\n # If the 'Forgot Password' method didn't leak information, see if\n # logging in as a nonexistent user will\n url = string(dir, \"/login.jsp\");\n postdata = 'command=login&accountId=' + fake_user;\n res = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n add_headers : make_array(\n \"Content-Type\", \"application/x-www-form-urlencoded\"\n )\n );\n\n if (isnull(res)) exit(0);\n\n if ('Invalid Account ID' >< res[2]) security_warning(port);\n}\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
