[22632] in bugtraq
Re: Is there user Anna at your host ?
daemon@ATHENA.MIT.EDU (ET LoWNOISE)
Thu Sep 13 00:04:44 2001
Date: Wed, 12 Sep 2001 15:02:07 -0400 (EDT)
From: ET LoWNOISE <et@cyberspace.org>
To: "Alexander A. Kelner" <akson@tts.debryansk.ru>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.33.0109121638580.7989-100000@tower.tts.debryansk.ru>
Message-ID: <Pine.SUN.3.96.1010912145531.20552A-100000@grex.cyberspace.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
[LoWNOISE]
The same behavior can be used to know if a file exists or not.
On some web servers like apache. If a file exist the common response is a
[200 OK] or [405 Method Not Allowed] that will help you evade some NIDS,
For example while testing for common cgis on the target machine.
ET
On Wed, 12 Sep 2001, Alexander A. Kelner wrote:
>
> Hi people !
>
> Look here :-)
>
> You have UNIX server www.yourserver.com
> You have dozen of usual users at your UNIX server.
> You have Apache HTTP daemon configured for standard user's
> homepage location at /home/<username>/public_html.
>
> When someone from the Internet tries to see URL like
>
> http://www.yourserver.com/~anna
>
> he gets one of:
>
> 1. HTTP result code 200, and Anna's homepage,
> when user "anna" exists at your UNIX, and she has her homepage.
>
> 2. HTTP result code 403, and message from Apache:
> "You don't have permission to access /~anna on this server.",
> when user "anna" exists at your UNIX, and she has no homepage
> or access to her homepage is denied.
>
> 3. HTTP result code 404, and message from Apache:
> "The requested URL /~anna was not found on this server."
> when user anna doesn't exist at your UNIX.
>
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.
>
> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !
>
> Sorry if I'm wrong, or this is something trivial.
>
> A. Kelner
>
>
