[wplug] w2k samba clients
Bill Moran
wmoran at potentialtech.com
Sun Aug 8 10:48:06 EDT 2004
Duncan Hutty <duncanhutty at comcast.net> wrote:
> Bill Moran wrote:
>
> > Note, that from the code, Samba hasn't even looked
> >at the password yet, it's simply determined that it doesn't have a valid
> >user name.
> >
> >I'm going out on a limb a bit, but I have one more suggestion below.
> >
> This sounds like a security vulnerability to me. Are you saying that the
> server provides a different error message when the client provides an
> invalid username than when it provides an invalid password? This can be
> used to mine for usernames.
I don't think so. The special error message is only recorded in the log
file on the Samba server, so it's unlikely to be a security issue unless
the Samba server itself is unsecured anyway.
I haven't traced the code far enough to be sure, but it appears as if the
client attempting to connect gets a general session setup failure error.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the wplug
mailing list