>
> >Two things can be done to avoid this :
> >
> >1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
> > Anonymous - No access
> > [Default] - No access
>
> In my opinion, a Domino webserver configured with these ACLs still allows
enumeration of
> valid users.
>
> If you try to GET a file named /mail/toto.nsf :
> - toto doesn't exist => 404
> - toto exists => redirection to the login page ("200 OK")
>
> I'm not aware of any ACL configuration which forbid this behaviour.
If you've configured the Domino server to use form based logins/cookies
you'll get a 200 response. Else you'll get a 401 Unauthorized.
Either way you can still determine if the .nsf or .box file exists.
Cheers,
David Litchfield
http://www.ngssoftware.com/
