| OSVDB ID | Disclosure Date | Title |
|---|
|
343
Description:
Many applications are designed to reveal their version number, configuration revision number or other such information. While helpful to administrators, this information is often valuable to would-be attackers in carrying out further, more focused attacks.
|
1980-01-01
|
Multiple Products Version Disclosure Weakness
|
|
751
Description:
Some systems may have an account policy that does not allow a user to change their password. This may be due to poor configuration or even as a result of an overzealous security posture. User accounts that do not allow password changes may pose a higher risk to an organization. If such an account has the password compromised for whatever reason, the user is unable to change the password once the disclosure is discovered. This may give an attacker an increased window to login to the account before an administrator can change the password.
|
1980-01-01
|
User Account Policy Password Cannot Be Changed
|
|
752
Description:
System administrators will often disable an account after it is no longer being used. This is intended to lock the account out so that it may not be used until the administrator re-enables it. Historically, there have been several vulnerabilities that affect system behavior in regards to disabled accounts. Such vulnerabilities have allowed attackers to log into these accounts by bypassing the lockout. Administrators may also make global account changes that inadvertantly affect disabled accounts.
|
1980-01-01
|
User Account Policy Disabled Accounts
|
|
754
Description:
Some system administrators issue user accounts that end up never being used. A strong user account policy will make periodic checks for such accounts and delete them. These accounts can be a security concern as they provide an attacker with a significant advantage in brute force attacks. As users log onto a system, there is typically a message indicating where the last login was from, and/or how many failed login attempts there were before authenticating. If a user notices hundreds or thousands of failed login attempts, they can warn the administrator of suspicious activity. If a user account exists but is not used by anyone, such attacks may go unnoticed. As such, it is ideal if unused accounts or not only locked out, but deleted completely.
|
1980-01-01
|
User Account Policy Account Has Never Logged In
|
|
755
Description:
Some systems are configured so that user accounts have passwords that do not expire. This means a user can continue logging into the account with the same password indefinitely. This is considered by most to be a bad security practice as it may assist an attacker carry out brute force style attacks against the system, with a higher chance for success. In addition, if an attacker is able to get a password via a method such as 'trashing' or obtaining the hashed passwords, by the time they are able to try to login with it, the password may be changed. By requiring users to change their passwords frequently, it is more difficult for an attacker to carry out such attacks and significantly lowers the window of risk.
|
1980-01-01
|
User Account Policy Password Never Changed/Expires
|
|
840
Description:
Several Network News Server contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when the Network News Server is configured to allow anonymous access. It is possible that the flaw may allow a remote attacker to browse groups, post messages and/or share illegal software resulting in a loss of confidentiality and/or integrity.
|
1980-01-01
|
Network News Server Anonymous Access
|
