[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2012-6452 Axway Secure Messenger Username Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2012-6452 Axway Secure Messenger Username Disclosure
From: jason.doyle@xxxxxxxxxxxxxxxxxxx
Date: Thu, 17 Jan 2013 18:38:13 GMT

Product: Axway Email Firewall
Component: Secure Messenger
Vendor: Axway
Vulnerable Version(s): 6.5 and earlier on the Email Firewall (EMF) platform only
Tested Version: 6.3.2 (Build 4230)
Vendor Notification: December 8, 2012 
Vendor Patch: Secure Messenger version 6.5.0 Updated Release 7
Public Disclosure: January 17, 2013
Vulnerability Type: Username Disclosure
CVE Reference: CVE-2012-6452
Solution Status: Fixed by Vendor
Credit: Jason Doyle / FishNet Security
 
Advisory Details:
When authenticating to Secure Messenger on Axway's Email Firewall, vulnerable 
versions return different HTTP header responses for users that exist and users 
that do not exist when an incorrect password is supplied. Specifically, two (2) 
JSESSIONIDs are returned for valid users, and one (1) for invalid users.
 
Solution:
Upgrade to Secure Messenger version 6.5 Updated Release 7, or migrate to Axway 
MailGate 5.2.0 (or later) for the equivalent functionality.
 
Contact:
support.axway.com

Prev by Date: NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
Next by Date: Recently-revised IETF I-Ds about IPv6 security
Previous by thread: NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
Next by thread: Recently-revised IETF I-Ds about IPv6 security
Index(es):
- Date
- Thread