Microsiga Protheus Username Enumeration Weakness
Release Date : 2011-03-17
Criticality level : Not critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status: Unpatched
Software: Microsiga Protheus 10.x
Microsiga Protheus 8.x
Flavio do Carmo Junior has reported a weakness in Microsiga Protheus, which can be exploited by malicious people to disclose sensitive information.
The authentication procedure returns different messages depending on the existence of the provided username. This can be exploited to enumerate valid usernames.
The weakness is reported in versions 8 and 10. Other versions may also be affected.
Restrict access to trusted users only.
Provided and/or discovered by:
Flavio do Carmo Junior (waKKu), DcLabs Security Research Group