[24111] in bugtraq
Re: Script for find domino's users
daemon@ATHENA.MIT.EDU (David Litchfield)
Mon Feb 4 20:33:52 2002
Message-ID: <001701c1ad98$fc7e62a0$71e693c3@XU5UDGJMHXJ300>
From: "David Litchfield" <david@nextgenss.com>
To: <bugtraq@securityfocus.com>
Date: Mon, 4 Feb 2002 16:28:31 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
>
> >Two things can be done to avoid this :
> >
> >1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
> > Anonymous - No access
> > [Default] - No access
>
> In my opinion, a Domino webserver configured with these ACLs still allows
enumeration of
> valid users.
>
> If you try to GET a file named /mail/toto.nsf :
> - toto doesn't exist => 404
> - toto exists => redirection to the login page ("200 OK")
>
> I'm not aware of any ACL configuration which forbid this behaviour.
If you've configured the Domino server to use form based logins/cookies
you'll get a 200 response. Else you'll get a 401 Unauthorized.
Either way you can still determine if the .nsf or .box file exists.
Cheers,
David Litchfield
http://www.ngssoftware.com/
