Re: Script for find domino's users

From: nicobat_private
Date: Fri Feb 01 2002 - 04:41:07 PST

Next message: Steven M. Christey: "Re: rsync-2.5.2 has security fix (was: Re: [RHSA-2002:018-05] New rsync packages available)"

Previous message: Nick Wilkens: "Re: Sapgui 4.6D for Windows"
Next in thread: David Litchfield: "Re: Script for find domino's users"
Reply: David Litchfield: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

31/01/2002 21:03:10, "Simon Delicata" <sdelicataat_private> wrote :

>Two things can be done to avoid this :
>
>1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
>      Anonymous - No access
>      [Default] - No access

In my opinion, a Domino webserver configured with these ACLs still allows enumeration of 
valid users.

If you try to GET a file named /mail/toto.nsf :
- toto doesn't exist => 404
- toto exists => redirection to the login page ("200 OK")

I'm not aware of any ACL configuration which forbid this behaviour.


Nicob

Next message: Steven M. Christey: "Re: rsync-2.5.2 has security fix (was: Re: [RHSA-2002:018-05] New rsync packages available)"
Previous message: Nick Wilkens: "Re: Sapgui 4.6D for Windows"
Next in thread: David Litchfield: "Re: Script for find domino's users"
Reply: David Litchfield: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 19:24:36 PST