下面是原始网页http://seclists.org/oss-sec/2017/q2/34的快照。安全客与该网页作者无关,不对其内容负责。 刷新快照
oss-sec: Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0
Home page logo

oss-sec mailing list archives

Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0
From: Oliveira Lima <oliveiralimajr () gmail com>
Date: Fri, 7 Apr 2017 19:49:58 -0300

Request CVE ID for information disclosure present in ForgeRock OpenIDM
4.0.0 and 4.5.0

Description
***********************

The OpenIDM info endpoint may leak sensitive information under certain
circumstances.
Looking closely I noticed that amid the requests for access to solution idm
several requests on behalf of a user: "anonymous", editing these requests I
got a return code 200, containing information from the internal server,
such as addresses Ips, thus characterizing an information disclosure
vulnerability.


Proof of Concept URL
***************************

*http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/
<http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>*

Report Timeline
************************
10-Jan-2017- Reported
11-Jan-2017- Vendor Response
28 -March-2017- Vendor Fixed
07-April-2017- Public disclosed

Vendo Reference
*****************
*https://backstage.forgerock.com/knowledge/kb/article/a92936505
<https://backstage.forgerock.com/knowledge/kb/article/a92936505>*
<https://br.wordpress.org/plugins/simple-photo-gallery/changelog/>
References
*****************

<https://br.wordpress.org/plugins/simple-photo-gallery/changelog/>
https://www.owasp.org/index.php/Information_Leak_(information_disclosure)
<http://www.rootlabs.com.br/xss-simple-photo-gallery/>
*https://backstage.forgerock.com/knowledge/kb/article/a92936505
<https://backstage.forgerock.com/knowledge/kb/article/a92936505>*

*http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/
<http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>*

-- 
Oliveira Lima Jr
roothc.com.br
Linkedin <http://br.linkedin.com/pub/oliveira-lima-junior/2b/48/285/>
@oliveiralimajr <https://twitter.com/oliveiralimajr>

  By Date           By Thread  

Current thread:
  • Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0 Oliveira Lima (Apr 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]