Hi, during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate valid users. A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK" HTTP code) if the user "toto" exists and a "404 File not Found" is returned if the user doesn't exist. This issue can allow a faster brute force attack on HTTP passwords. I have search the Net for more information about this problem, but I found nothing. Can the readers reproduce this behaviour ? Do you see others implications than users enumeration (for social engineering and brute force attacks) ? Nicob
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:04:30 PST