Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Web Server/CGI)  >   IBM iNotes and Domino Vendors:   IBM
Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
SecurityTracker Alert ID:  1003417
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 1 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): 5.0.8
Description:   An information disclosure vulnerability was reported in the Lotus Domino web server. A remote user can obtain information about valid user account names on the server.

It is reported that a remote user can generate an HTTP GET request for a certain module that will return a different message depending on whether the requested user account name exists or not.

For example, a remote user can request the following:

GET /mail/toto.nsf HTTP/1.0

This will apparently redirect to the login page (with a "200 OK" HTTP code) if the user "toto" exists. If the user "toto" does not exist, the server will apparently return "404 File not Found" error message.

A remote user can use this information in mounting a brute force password guessing attack against the server.

Impact:   A remote user can determine if specific user account names exist on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Provides Recommendation) Re: Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
The vendor has provided a recommendation to minimize risk.

 Source Message Contents

Subject:  Enumerating users on a Domino webserver


during a pen-test against a Domino 5.0.8 webserver, I was able to enumerate valid users.

A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with a "200 OK" 
HTTP code) if the user "toto" exists and a "404 File not Found"  is returned if the user 
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.

I have search the Net for more information about this problem, but I found nothing.

Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social engineering and brute 
force attacks) ?



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC