That may be the case, but most servers don't implement the UserDir directive. If this is not enabled, then you will get a 404, and the user may or may not exist on your server -- Andrew Hatfield Head - Internet Security Division Hatfield & Associates Pty. Ltd. Phone : +61 7 3849 7155 Fax : +61 7 3849 6277 Email : info@hatfields.com.au Web : http://www.hatfields.com.au/ > -----Original Message----- > From: Alexander A. Kelner [mailto:akson@tts.debryansk.ru] > Sent: Thursday, 13 September 2001 12:18 AM > To: bugtraq@securityfocus.com > Subject: Is there user Anna at your host ? > > > > Hi people ! > > Look here :-) > > You have UNIX server www.yourserver.com > You have dozen of usual users at your UNIX server. > You have Apache HTTP daemon configured for standard user's > homepage location at /home/<username>/public_html. > > When someone from the Internet tries to see URL like > > http://www.yourserver.com/~anna > > he gets one of: > > 1. HTTP result code 200, and Anna's homepage, > when user "anna" exists at your UNIX, and she has her homepage. > > 2. HTTP result code 403, and message from Apache: > "You don't have permission to access /~anna on this server.", > when user "anna" exists at your UNIX, and she has no homepage > or access to her homepage is denied. > > 3. HTTP result code 404, and message from Apache: > "The requested URL /~anna was not found on this server." > when user anna doesn't exist at your UNIX. > > So, he can easy discover if user "anna" exists at your UNIX, > and try to play with her password, or send her spam etc. > > This approach allows him get nesessary info instead of disabled > VRFY feature in your Sendmail ! > > Apache works quickly and IMHO doesnt provide any responce delays > for any kind of result code. So bad boy can check 1000 different > names for very short time ! > > Sorry if I'm wrong, or this is something trivial. > > A. Kelner > >
