Vulnerability Development mailing list archives

Re: Enumerating users on a Domino webserver

From: "Bruno Mosconi" <bmosconi () fnazca com br>
Date: Wed, 30 Jan 2002 15:07:48 -0200

Yes. The same problem here!
Domino 5.0.8A
----- Original Message -----
From: <nicob () nicob net>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, January 30, 2002 2:54 PM
Subject: Enumerating users on a Domino webserver


From: nicob () nicob net on 30/01/2002 17:54 CET

To:   vuln-dev () securityfocus com
cc:
Subject:  Enumerating users on a Domino webserver


Hi,

during a pen-test against a Domino 5.0.8 webserver, I was able to

enumerate

valid users.

A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a
"200 OK"
HTTP code) if the user "toto" exists and a "404 File not Found"  is
returned if the user
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.


I have search the Net for more information about this problem, but I found
nothing.

Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social
engineering and brute
force attacks) ?


Nicob

Current thread:

Enumerating users on a Domino webserver nicob (Jan 30)
- Re: Enumerating users on a Domino webserver Bruno Mosconi (Jan 30)
- <Possible follow-ups>
- RE: Enumerating users on a Domino webserver OBrien, Brennan (Jan 30)