Re: Enumerating users on a Domino webserver
From: Bruno Mosconi (bmosconi@fnazca.com.br)Date: 01/30/02
- Previous message: OBrien, Brennan: "RE: Enumerating users on a Domino webserver"
- In reply to: nicob@nicob.net: "Enumerating users on a Domino webserver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bruno Mosconi" <bmosconi@fnazca.com.br> To: <nicob@nicob.net>, <vuln-dev@securityfocus.com> Date: Wed, 30 Jan 2002 15:07:48 -0200
Yes. The same problem here!
Domino 5.0.8A
----- Original Message -----
From: <nicob@nicob.net>
To: <vuln-dev@securityfocus.com>
Sent: Wednesday, January 30, 2002 2:54 PM
Subject: Enumerating users on a Domino webserver
>
> From: nicob@nicob.net on 30/01/2002 17:54 CET
>
> To: vuln-dev@securityfocus.com
> cc:
> Subject: Enumerating users on a Domino webserver
>
>
> Hi,
>
> during a pen-test against a Domino 5.0.8 webserver, I was able to
enumerate
> valid users.
>
> A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a
> "200 OK"
> HTTP code) if the user "toto" exists and a "404 File not Found" is
> returned if the user
> doesn't exist.
> This issue can allow a faster brute force attack on HTTP passwords.
>
>
> I have search the Net for more information about this problem, but I found
> nothing.
>
> Can the readers reproduce this behaviour ?
> Do you see others implications than users enumeration (for social
> engineering and brute
> force attacks) ?
>
>
> Nicob
>
>
>
>
>
>
- Previous message: OBrien, Brennan: "RE: Enumerating users on a Domino webserver"
- In reply to: nicob@nicob.net: "Enumerating users on a Domino webserver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
