[22626] in bugtraq
RE: Is there user Anna at your host ?
daemon@ATHENA.MIT.EDU (Andrew Hatfield)
Wed Sep 12 13:11:28 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Thu, 13 Sep 2001 02:52:28 +1000
Message-ID: <F9B05628BAE2414A99980964199E954A01CD45@VOYAGER.brisbane.hatfields.com.au>
From: "Andrew Hatfield" <andrew@hatfields.com.au>
To: "Alexander A. Kelner" <akson@tts.debryansk.ru>,
<bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
That may be the case, but most servers don't implement the UserDir
directive.
If this is not enabled, then you will get a 404, and the user may or may
not exist on your server
--
Andrew Hatfield
Head - Internet Security Division
Hatfield & Associates Pty. Ltd.
Phone : +61 7 3849 7155
Fax : +61 7 3849 6277
Email : info@hatfields.com.au
Web : http://www.hatfields.com.au/
> -----Original Message-----
> From: Alexander A. Kelner [mailto:akson@tts.debryansk.ru]
> Sent: Thursday, 13 September 2001 12:18 AM
> To: bugtraq@securityfocus.com
> Subject: Is there user Anna at your host ?
>
>
>
> Hi people !
>
> Look here :-)
>
> You have UNIX server www.yourserver.com
> You have dozen of usual users at your UNIX server.
> You have Apache HTTP daemon configured for standard user's
> homepage location at /home/<username>/public_html.
>
> When someone from the Internet tries to see URL like
>
> http://www.yourserver.com/~anna
>
> he gets one of:
>
> 1. HTTP result code 200, and Anna's homepage,
> when user "anna" exists at your UNIX, and she has her homepage.
>
> 2. HTTP result code 403, and message from Apache:
> "You don't have permission to access /~anna on this server.",
> when user "anna" exists at your UNIX, and she has no homepage
> or access to her homepage is denied.
>
> 3. HTTP result code 404, and message from Apache:
> "The requested URL /~anna was not found on this server."
> when user anna doesn't exist at your UNIX.
>
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.
>
> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !
>
> Sorry if I'm wrong, or this is something trivial.
>
> A. Kelner
>
>
