Vulnerability Development mailing list archives
Re: Enumerating users on a Domino webserver
From: "Bruno Mosconi" <bmosconi () fnazca com br>
Date: Wed, 30 Jan 2002 15:07:48 -0200
Yes. The same problem here! Domino 5.0.8A ----- Original Message ----- From: <nicob () nicob net> To: <vuln-dev () securityfocus com> Sent: Wednesday, January 30, 2002 2:54 PM Subject: Enumerating users on a Domino webserver
From: nicob () nicob net on 30/01/2002 17:54 CET To: vuln-dev () securityfocus com cc: Subject: Enumerating users on a Domino webserver Hi, during a pen-test against a Domino 5.0.8 webserver, I was able to
enumerate
valid users. A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK" HTTP code) if the user "toto" exists and a "404 File not Found" is returned if the user doesn't exist. This issue can allow a faster brute force attack on HTTP passwords. I have search the Net for more information about this problem, but I found nothing. Can the readers reproduce this behaviour ? Do you see others implications than users enumeration (for social engineering and brute force attacks) ? Nicob
Current thread:
- Enumerating users on a Domino webserver nicob (Jan 30)
- Re: Enumerating users on a Domino webserver Bruno Mosconi (Jan 30)
- <Possible follow-ups>
- RE: Enumerating users on a Domino webserver OBrien, Brennan (Jan 30)