Bugtraq mailing list archives
Re: Script for find domino's users
From: nicob () nicob net
Date: Fri, 01 Feb 2002 13:41:07 +0100
31/01/2002 21:03:10, "Simon Delicata" <sdelicata () planer co uk> wrote :
Two things can be done to avoid this : 1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to : Anonymous - No access [Default] - No access
In my opinion, a Domino webserver configured with these ACLs still allows enumeration of valid users. If you try to GET a file named /mail/toto.nsf : - toto doesn't exist => 404 - toto exists => redirection to the login page ("200 OK") I'm not aware of any ACL configuration which forbid this behaviour. Nicob
Current thread:
- Re: Script for find domino's users Chad Loder (Jan 31)
- <Possible follow-ups>
- Re: Script for find domino's users nicob (Feb 03)
- Re: Script for find domino's users David Litchfield (Feb 04)
- RE: Script for find domino's users Jay D. Thomson (Feb 10)