That may be the case, but most servers don't implement the UserDir
directive.

If this is not enabled, then you will get a 404, and the user may or may
not exist on your server

  --
  Andrew Hatfield
  Head - Internet Security Division

  Hatfield & Associates Pty. Ltd.
  Phone : +61 7 3849 7155
  Fax : +61 7 3849 6277
  Email : infohatfields.com.au
  Web : http://www.hatfields.com.au/

> -----Original Message-----
> From: Alexander A. Kelner [mailto:aksontts.debryansk.ru]
> Sent: Thursday, 13 September 2001 12:18 AM
> To: bugtraqsecurityfocus.com
> Subject: Is there user Anna at your host ?
>
>
>
> Hi people !
>
> Look here :-)
>
> You have UNIX server www.yourserver.com
> You have dozen of usual users at your UNIX server.
> You have Apache HTTP daemon configured for standard user's
> homepage location at /home/<username>/public_html.
>
> When someone from the Internet tries to see URL like
>
> http://www.yourserver.com/~anna
>
> he gets one of:
>
> 1. HTTP result code 200, and Anna's homepage,
> when user "anna" exists at your UNIX, and she has her homepage.
>
> 2. HTTP result code 403, and message from Apache:
> "You don't have permission to access /~anna on this server.",
> when user "anna" exists at your UNIX, and she has no homepage
> or access to her homepage is denied.
>
> 3. HTTP result code 404, and message from Apache:
> "The requested URL /~anna was not found on this server."
> when user anna doesn't exist at your UNIX.
>
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.
>
> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !
>
> Sorry if I'm wrong, or this is something trivial.
>
> A. Kelner
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]