SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker -- bugs@securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  Domino/Notes (Lotus) Vendors:  IBM
Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
Date:  Feb 1 2002
Impact:  Disclosure of system information
Exploit Included:  Yes  
Version(s): 5.0.8
Description:  An information disclosure vulnerability was reported in the Lotus Domino web server. A remote user can obtain information about valid user account names on the server.

It is reported that a remote user can generate an HTTP GET request for a certain module that will return a different message depending on whether the requested user account name exists or not.

For example, a remote user can request the following:

GET /mail/toto.nsf HTTP/1.0

This will apparently redirect to the login page (with a "200 OK" HTTP code) if the user "toto" exists. If the user "toto" does not exist, the server will apparently return "404 File not Found" error message.

A remote user can use this information in mounting a brute force password guessing attack against the server.
Impact:  A remote user can determine if specific user account names exist on the server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.lotus.com/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (NT), Windows (2000)
Reported By:  nicob@nicob.net
Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 19 2002 (Vendor Provides Recommendation) Re: Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
The vendor has provided a recommendation to minimize risk.


 Source Message Contents
Date:  Wed, 30 Jan 2002 17:54:41 +0100
From:  nicob@nicob.net
Subject:  Enumerating users on a Domino webserver

 

Hi,

during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate valid users.

A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK"
 
HTTP code) if the user "toto" exists and a "404 File not Found"  is returned if t
he user 
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.


I have search the Net for more information about this problem, but I found nothing.

Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social engineering and brute 
force attacks) ?


Nicob


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC