[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

POC - Sun Java System Acccess Manager & Identity Manager Users Enumeration



============================================================
 Sun Java System Acccess Manager & Identity Manager Users Enumeration
============================================================

 Affected Software: Sun Java System Access Server, OpenSSo
                               Sun Java System Identity Manager

 Author: Marco Mella - marco[ dot ]mella[at]aboutsecurity[dot]net
 More information, Advisory and POC URL: http://www.aboutsecurity.net

Sun Java System Identity Manager Security Vulnerabilities
    Sun Java System Identity Manager 7.0
    Sun Java System Identity Manager 7.1
    Sun Java System Identity Manager 7.1.1
    Sun Java System Identity Manager 8.0
 Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1

Sun Java System Identity Manager
    Sun Java System Access Manager 6 2005Q1 (6.3)
    Sun Java System Access Manager 7 2005Q4 (7.0)
    Sun Java System Access Manager 7.1
 Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242026-1

 [Summary]

 A Security Vulnerability in Sun Java System Access Manager and Identity
Manager allow a Remote Unprivileged User to Determine the existence of
"guessed" UserID  facilitating brute-force attacks.


[Proof of Concept]
Simple POC for users enumeration on Access Manager and Identity Manager
available on http://www.aboutsecurity.net