SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   IBM iNotes and Domino Vendors:   IBM
(Vendor Provides Recommendation) Re: Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
SecurityTracker Alert ID:  1003596
SecurityTracker URL:  http://securitytracker.com/id/1003596
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 19 2002
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0.8
Description:   An information disclosure vulnerability was reported in the Lotus Domino web server. A remote user can obtain information about valid user account names on the server.

It is reported that a remote user can generate an HTTP GET request for a certain module that will return a different message depending on whether the requested user account name exists or not.

For example, a remote user can request the following:

GET /mail/toto.nsf HTTP/1.0

This will apparently redirect to the login page (with a "200 OK" HTTP code) if the user "toto" exists. If the user "toto" does not exist, the server will apparently return "404 File not Found" error message.

A remote user can use this information in mounting a brute force password guessing attack against the server.

Impact:   A remote user can determine if specific user account names exist on the server.
Solution:   Lotus has confirmed that a remote user can determine the validity of a user name by issuing a GET request for a user's mail file.

To prevent this type of attack from being successful, Lotus reports that administrators can choose the "Fewer name variations with higher security" Web server authentication option.

This can reportedly be configured as follows:

Go to the Security tab of the Server document in the Domino Directory and under Web Server Access, select "Fewer name variations with higher security" as the Web Server Authentication option.

Lotus says that another option is to name mail files randomly when registering users instead of accepting the default file name, which is based on the user's name.

Vendor URL:  www.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=221311F958D2575C85256B5A00814480 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 1 2002 Lotus Domino Web Server Discloses User Account Validity Information to Remote Users



 Source Message Contents

Date:  Mon, 18 Feb 2002 19:52:25 -0500
Subject:  Lotus Domino User Name Enumeration Vulnerability


Lotus Domino User Name Enumeration Vulnerability

Technotes Number:  191083


Lotus has issued a Technote regarding the report that a remote user can
determine the validity of a user name by issuing a GET request for a
user's mail file.

Lotus reports that this technique is based on the assumption that the
name of the user's mail file corresponds exactly to a valid user name
for authentication purposes.  To prevent this type of attack from being
successful, administrators can choose the "Fewer name variations with
higher security" Web server authentication option. 

This can reportedly be configured as follows:

Go to the Security tab of the Server document in the Domino Directory
and under Web Server Access, select "Fewer name variations with higher
security" as the Web Server Authentication option.

Lotus says that another option is to name mail files randomly when
registering users instead of accepting the default file name, which is
based on the user's name.


Lotus has indicated that the following conditions must be met for this
vulnerability to be exploitable:

- The server must be hosting publicly-accessible iNotes Web Access or
Webmail users. Unless a site is explicitly supporting Internet mail,
there is no reason to have mail files on the server. 

- The name of the user's mail file must correspond exactly to the value
of the shortname field in the user's Person record. 

- The Web server authentication option for the server is configured as
"More name variations with lower security" in the Server

- The remote user must be able to correctly guess the name of a user's
mail file 

- The remote user must then be able to guess the user's password 


This information is based on the following document:

http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=221311F958D2575C85256B5A00814480


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC