Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12550
HistoryMay 05, 2006 - 12:00 a.m.

[Full-disclosure] WebCalendar User Account Enumeration Weakness

2006-05-0500:00:00
vulners.com
6
JSON

WebCalendar is a PHP-based calendar application that can be configured
as a single-user calendar, a multi-user calendar for groups of users,
or as an event calendar viewable by visitors.
See project homepage for details: http://www.k5n.us/webcalendar.php

Description:

The problem is that different error messages are returned depending
on whether an unsuccessful login attempt is performed with a valid or
invalid username in the login page.

Error message extract from 'includes/user.php' can be
"Invalid login"
"Invalid login: incorrect password"
"Invalid login: no such user"

The weakness has been confirmed in version 1.0.1, 1.0.2, 1.0.3.
Other versions may also be affected.

David Maciejak

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON