• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

RSA SecurID WebID Debug Mode Information Disclosure Vulnerability

RSA SecurID is a commercial product which provides local and remote authentication to restrict unauthorized access to resources on a host. WebID provides web-based authentication.

Due to an input validation error, it is possible for a remote attacker to insert a null(%00) into a web request to cause SecurID WebID to go into debug mode. This may allow the remote attacker to glean information about the host from the errors that occur.

The null character must be placed before the first directory in a specially crafted web request.