31/01/2002 21:03:10, "Simon Delicata" <sdelicataat_private> wrote : >Two things can be done to avoid this : > >1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to : > Anonymous - No access > [Default] - No access In my opinion, a Domino webserver configured with these ACLs still allows enumeration of valid users. If you try to GET a file named /mail/toto.nsf : - toto doesn't exist => 404 - toto exists => redirection to the login page ("200 OK") I'm not aware of any ACL configuration which forbid this behaviour. Nicob
This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 19:24:36 PST