Executive Summary
| Summary | |
|---|---|
| Title | New webcalendar packages fix information leak |
| Informations | |||
|---|---|---|---|
| Name | DSA-1056 | First vendor Publication | 2006-05-15 |
| Vendor | Debian | Last vendor Modification | 2006-05-15 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames. The old stable distribution (woody) does not contain a webcalendar package For the stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge4. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your webcalendar package. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1056 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-10-24 | Name : WebCalendar User Account Enumeration Disclosure Issue File : nvt/webcalendar_info_disclosure.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1056-1 (webcalendar) File : nvt/deb_1056_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 25280 | WebCalendar Login Error Message User Account Enumeration WebCalendar contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when invalid credentials are provided to the application. The application responds with different messages to valid and invalid user name/password combinations, allowing an attacker to enumerate valid user names and resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1056.nasl - Type : ACT_GATHER_INFO |
| 2006-05-16 | Name : The remote web server is affected by an information disclosure issue. File : webcalendar_info_disclosure.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:46 |
|
