> From: J. Tozo > Sent: Friday, January 23, 2015 3:35 PM > > http://www-01.ibm.com/support/docview.wss?uid=swg21682946
Nice try (just to be polite), but sorry, fail. The title of the IBM bulletin is "Brute-force attack in ClearQuest Web". The detailed description is "IBM Rational ClearQuest could allow a remote attacker to bypass security restrictions, caused by an error in the login form. An attacker could exploit this vulnerability using brute-force techniques to gain access to a user's account." The actual CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3101) description is "The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack." So exactly what in any of that are you interpreting as "bypassing authentication"? While the IBM description does indeed include the word "bypass" (but note the actual CVE does not), it says the issue allows you "to bypass security restrictions", not "bypass authentication". If you actually read the bulletin, you will see the problem under discussion is that the web form did not have any mechanism to alleviate against a brute force attack. You could feed it usernames and passwords as fast as the network would allow you to. Honestly, I don't even know if that could be classified as an "error in the login form" so much as the lack of an anti-brute forcing feature. While you did manage to find a document that contained the words "bypass", "bruteforce", and "authentication", it really has no bearing on your CVE nor in any way supports or defends your position that your CVE in any way describes a vulnerability that "bypasses authentication". For the most part, your presentation of this document simply further solidifies my opinion on your lack of understanding of security concepts and basic terminology, as well as your inability to analyze and properly classify security vulnerabilities. But feel free to try again. I suppose shooting fish in a barrel isn't very sportsmanlike, but sometimes it does offer a perverse level of enjoyment. And perhaps is even a bit cathartic after the annoyance you caused me yesterday morning. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
