Request CVE ID for information disclosure present in ForgeRock OpenIDM 4.0.0 and 4.5.0

[Oliveira Lima <oliveiralimajr () gmail com>]

Request CVE ID for information disclosure present in ForgeRock OpenIDM
4.0.0 and 4.5.0

Description
***********************

The OpenIDM info endpoint may leak sensitive information under certain
circumstances.
Looking closely I noticed that amid the requests for access to solution idm
several requests on behalf of a user: "anonymous", editing these requests I
got a return code 200, containing information from the internal server,
such as addresses Ips, thus characterizing an information disclosure
vulnerability.


Proof of Concept URL
***************************

*http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/
<http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>*

Report Timeline
************************
10-Jan-2017- Reported
11-Jan-2017- Vendor Response
28 -March-2017- Vendor Fixed
07-April-2017- Public disclosed

Vendo Reference
*****************
*https://backstage.forgerock.com/knowledge/kb/article/a92936505
<https://backstage.forgerock.com/knowledge/kb/article/a92936505>*
<https://br.wordpress.org/plugins/simple-photo-gallery/changelog/>
References
*****************

<https://br.wordpress.org/plugins/simple-photo-gallery/changelog/>
https://www.owasp.org/index.php/Information_Leak_(information_disclosure)
<http://www.rootlabs.com.br/xss-simple-photo-gallery/>
*https://backstage.forgerock.com/knowledge/kb/article/a92936505
<https://backstage.forgerock.com/knowledge/kb/article/a92936505>*

*http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/
<http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/>*

-- 
Oliveira Lima Jr
roothc.com.br
Linkedin <http://br.linkedin.com/pub/oliveira-lima-junior/2b/48/285/>
@oliveiralimajr <https://twitter.com/oliveiralimajr>