Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Script for find domino's users
From: nicob () nicob net
Date: Fri, 01 Feb 2002 13:41:07 +0100

31/01/2002 21:03:10, "Simon Delicata" <sdelicata () planer co uk> wrote :

Two things can be done to avoid this :

1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
     Anonymous - No access
     [Default] - No access

In my opinion, a Domino webserver configured with these ACLs still allows enumeration of 
valid users.

If you try to GET a file named /mail/toto.nsf :
- toto doesn't exist => 404
- toto exists => redirection to the login page ("200 OK")

I'm not aware of any ACL configuration which forbid this behaviour.


Nicob




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault