OS/400 POP3 Server User Account/Profile Enumeration

2005-04-15T09:15:20
ID OSVDB:15510
Type osvdb
Reporter Shalom Carmel(shalom@venera.com)
Modified 2005-04-15T09:15:20

Description

Vulnerability Description

OS/400 POP3 Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when malicious attacker attempts to log in, which will disclose username and password status information through the error messages resulting in a loss of confidentiality.

Technical Description

The status messages POP3 displays are:

No user found Good user, password not correct for user profile Good user, bur user profile is disabled Good user, but password for user profile has expired Good user, but no password associated with user profile Good password, good user

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

OS/400 POP3 Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when malicious attacker attempts to log in, which will disclose username and password status information through the error messages resulting in a loss of confidentiality.

References:

Secunia Advisory ID:14964 Other Advisory URL: http://www.venera.com/downloads/Enumeration_of_AS400_users_via_pop3.pdf Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0229.html CVE-2005-1133