oss-sec mailing list archives
Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0
From: Oliveira Lima <oliveiralimajr () gmail com>
Date: Fri, 7 Apr 2017 19:49:58 -0300
Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0 Description *********************** The OpenIDM info endpoint may leak sensitive information under certain circumstances. Looking closely I noticed that amid the requests for access to solution idm several requests on behalf of a user: "anonymous", editing these requests I got a return code 200, containing information from the internal server, such as addresses Ips, thus characterizing an information disclosure vulnerability. Proof of Concept URL *************************** *http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/ <http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>* Report Timeline ************************ 10-Jan-2017- Reported 11-Jan-2017- Vendor Response 28 -March-2017- Vendor Fixed 07-April-2017- Public disclosed Vendo Reference ***************** *https://backstage.forgerock.com/knowledge/kb/article/a92936505 <https://backstage.forgerock.com/knowledge/kb/article/a92936505>* <https://br.wordpress.org/plugins/simple-photo-gallery/changelog/> References ***************** <https://br.wordpress.org/plugins/simple-photo-gallery/changelog/> https://www.owasp.org/index.php/Information_Leak_(information_disclosure) <http://www.rootlabs.com.br/xss-simple-photo-gallery/> *https://backstage.forgerock.com/knowledge/kb/article/a92936505 <https://backstage.forgerock.com/knowledge/kb/article/a92936505>* *http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/ <http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>* -- Oliveira Lima Jr roothc.com.br Linkedin <http://br.linkedin.com/pub/oliveira-lima-junior/2b/48/285/> @oliveiralimajr <https://twitter.com/oliveiralimajr>
Current thread:
- Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0 Oliveira Lima (Apr 07)