On Wed, Sep 12, 2001 at 06:17:41PM +0400, Alexander A. Kelner said: > So, he can easy discover if user "anna" exists at your UNIX, > and try to play with her password, or send her spam etc. First off it looks like this was mentioned here: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html > This approach allows him get nesessary info instead of disabled > VRFY feature in your Sendmail ! > > Apache works quickly and IMHO doesnt provide any responce delays > for any kind of result code. So bad boy can check 1000 different > names for very short time ! This will indeed allow you to enumerate usernames on systems that have this feature enabled. The obvious solution is to disable this feature by changing "UserDir public_html" (or whatever) to "UserDir disabled". However that might not be an option in many cases. > Sorry if I'm wrong, or this is something trivial. Wrong? No. Trivial? Up in the air. Enumeration of user names is definitely an important step in attacking a system, but just a username is not going to get you very much. Also, there are a number of other methods that could be used, like searching for '@domain.tld', VRFY in sendmail (as you mentioned) or good old fashion finger (yes a lot of people still run fingerd). If you are paranoid like me, then disable it. Or just run OpenBSD, which disables it by default. -- josha.bronson(aka->dmuz) >> dmuz@angrypacket.com networks/systems/security && CCNA, RHCE josha.net || dmuz.angrypacket.com
