Debian fix for vulnerability CVE-2006-2247
Brought to you by:
cknudsen
The patch below is applied to the Debian package for WebCalendar in order to fix the vulnerability CVE-2006-2247: "WebCalendar generates different error messages depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames."
Please consider applying it for the next release
Rafael Laboissiere
Patch for fixing CVE-2006-2247
Logged In: YES
user_id=24666
Originator: YES
I forgot to say that the attached patch applies cleanly to 1.1.5.
Logged In: YES
user_id=14386
Originator: NO
Rafael,
The patch does not take advantage of the $silent option, which will be used in production systems. I'd like to keep the option of turning on the informative messages (for development systems) since we get a _lot_ of help requests for users not being able to login.