[wplug] w2k samba clients
Duncan Hutty
duncanhutty at comcast.net
Sun Aug 8 10:40:20 EDT 2004
Bill Moran wrote:
> Note, that from the code, Samba hasn't even looked
>at the password yet, it's simply determined that it doesn't have a valid
>user name.
>
>I'm going out on a limb a bit, but I have one more suggestion below.
>
>
>
This sounds like a security vulnerability to me. Are you saying that the
server provides a different error message when the client provides an
invalid username than when it provides an invalid password? This can be
used to mine for usernames.
Duncan Hutty
More information about the wplug
mailing list