[LoWNOISE]

The same behavior can be used to know if a file exists or not.
On some web servers like apache. If a file exist the common response is a
[200 OK] or [405 Method Not Allowed] that will help you evade some NIDS,
For example while testing for common cgis on the target machine.

ET

On Wed, 12 Sep 2001, Alexander A. Kelner wrote:

>
> Hi people !
>
> Look here :-)
>
> You have UNIX server www.yourserver.com
> You have dozen of usual users at your UNIX server.
> You have Apache HTTP daemon configured for standard user's
> homepage location at /home/<username>/public_html.
>
> When someone from the Internet tries to see URL like
>
> http://www.yourserver.com/~anna
>
> he gets one of:
>
> 1. HTTP result code 200, and Anna's homepage,
> when user "anna" exists at your UNIX, and she has her homepage.
>
> 2. HTTP result code 403, and message from Apache:
> "You don't have permission to access /~anna on this server.",
> when user "anna" exists at your UNIX, and she has no homepage
> or access to her homepage is denied.
>
> 3. HTTP result code 404, and message from Apache:
> "The requested URL /~anna was not found on this server."
> when user anna doesn't exist at your UNIX.
>
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.
>
> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !
>
> Sorry if I'm wrong, or this is something trivial.
>
> A. Kelner
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]