Re: Remedy Action Request System 5.01.02 - User Enumeration Jan 16 2007 10:09AM
Davide Del Vecchio (dante alighieri org)
Lee Rumble writes:

> This has always been the case with the Remedy system which I use day in
> and
> day out. This is also present in older versions too and I have spoken with
> them about this, but they do not deem this to be a security flaw.

Hello Lee,

if they think or not it is a security flaw, well, it's their opinion.
I think that the possibility to enumerate users is a security flaw, and you?

> Gaining access to the system itself has no real advantages either.

It depends from what the system is used for. There are a lot of companies
that use to attach important documents to the remedy tickets or use remedy
to trace every activity. According to you, is it important to access the
repository in which every activity has been traced ?

Best regards,

d.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" dante (at) alighieri (dot) org [email concealed]
http://www.alighieri.org http://legaest.blogspot.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus