Le Sam 13 septembre 2008 04:47, s. keeling a écrit : [...] >> Try to login on any Lenny box console with an invalid account. >> You will get "Incorrect login" without being prompted for a >> password at all. > What? And you get a shell prompt?!? >
Even if you do not have a shell, you do have an important information : the login you tried does not exist. So, you can do a first rapid scan based on dictionnary to find the existing users on the server. Then, you can focus your attack on these accounts. If the system would ask a password, even if the account does not exist, you can not know if the account exist or not. The security probleme is here, if I good understood the previous message. As I use Etch, I was not able to test it on lenny and I did not test it on Etch. Fanfan -- http://www.cerbelle.net - http://www.afdm-idf.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
