CA UniCenter Management Portal Username Disclosure

2004-09-22T07:39:43
ID OSVDB:10201
Type osvdb
Reporter Thomas Adams(tgadams@bellsouth.net)
Modified 2004-09-22T07:39:43

Description

Vulnerability Description

UniCenter Management Portal contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a request of a user's forgotten password occurs, which will disclose the existence of the user resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

Disable the "Forgot Password" feature or restrict access to the portal.

Short Description

UniCenter Management Portal contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a request of a user's forgotten password occurs, which will disclose the existence of the user resulting in a loss of confidentiality.

Manual Testing Notes

Connect to the management portal (default 8080).

Choose the 'Forgot your Password?' option.

Enter a username, such as test. If the test account does not exists, the following will be displayed: "User not found: test" A legit account will produce a "Password has been sent" or "Email address not Found" message.

References:

Vendor URL: http://www3.ca.com/Solutions/Product.asp?ID=4588 Security Tracker: 1011381 Secunia Advisory ID:12620 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0252.html CVE-2004-1697