Yes. The same problem here! Domino 5.0.8A ----- Original Message ----- From: <nicobat_private> To: <vuln-devat_private> Sent: Wednesday, January 30, 2002 2:54 PM Subject: Enumerating users on a Domino webserver > > From: nicobat_private on 30/01/2002 17:54 CET > > To: vuln-devat_private > cc: > Subject: Enumerating users on a Domino webserver > > > Hi, > > during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate > valid users. > > A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a > "200 OK" > HTTP code) if the user "toto" exists and a "404 File not Found" is > returned if the user > doesn't exist. > This issue can allow a faster brute force attack on HTTP passwords. > > > I have search the Net for more information about this problem, but I found > nothing. > > Can the readers reproduce this behaviour ? > Do you see others implications than users enumeration (for social > engineering and brute > force attacks) ? > > > Nicob > > > > > >
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:53:29 PST