CWE-204: Observable Response Discrepancy

参考: CVE-2002-2094

This, and others, use ".." attacks and monitor error responses, so there is overlap with directory traversal.

参考: CVE-2001-1483

Enumeration of valid usernames based on inconsistent responses

参考: CVE-2001-1528

Account number enumeration via inconsistent responses.

参考: CVE-2004-2150

User enumeration via discrepancies in error messages.

参考: CVE-2005-1650

User enumeration via discrepancies in error messages.

参考: CVE-2004-0294

Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.

参考: CVE-2004-0243

Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.

参考: CVE-2002-0514

Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.

参考: CVE-2002-0515

Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.

参考: CVE-2001-1387

Product may generate different responses than specified by the administrator, possibly leading to an information leak.

参考: CVE-2004-0778

Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.

参考: CVE-2004-1428

FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.