[LoWNOISE] The same behavior can be used to know if a file exists or not. On some web servers like apache. If a file exist the common response is a [200 OK] or [405 Method Not Allowed] that will help you evade some NIDS, For example while testing for common cgis on the target machine. ET On Wed, 12 Sep 2001, Alexander A. Kelner wrote: > > Hi people ! > > Look here :-) > > You have UNIX server www.yourserver.com > You have dozen of usual users at your UNIX server. > You have Apache HTTP daemon configured for standard user's > homepage location at /home/<username>/public_html. > > When someone from the Internet tries to see URL like > > http://www.yourserver.com/~anna > > he gets one of: > > 1. HTTP result code 200, and Anna's homepage, > when user "anna" exists at your UNIX, and she has her homepage. > > 2. HTTP result code 403, and message from Apache: > "You don't have permission to access /~anna on this server.", > when user "anna" exists at your UNIX, and she has no homepage > or access to her homepage is denied. > > 3. HTTP result code 404, and message from Apache: > "The requested URL /~anna was not found on this server." > when user anna doesn't exist at your UNIX. > > So, he can easy discover if user "anna" exists at your UNIX, > and try to play with her password, or send her spam etc. > > This approach allows him get nesessary info instead of disabled > VRFY feature in your Sendmail ! > > Apache works quickly and IMHO doesnt provide any responce delays > for any kind of result code. So bad boy can check 1000 different > names for very short time ! > > Sorry if I'm wrong, or this is something trivial. > > A. Kelner > >
