 |
|
|
|
Hi,
during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate valid
users.
A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK"
HTTP code) if the user "toto" exists and a "404 File not Found" is returned if the
user
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.
I have search the Net for more information about this problem, but I found nothing.
Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social engineering and
brute
force attacks) ?
Nicob
|
|
|
|
|
|
|
|
