Hi,
We ran a scan on our server to check that PCI-DSS standards are being complied with, and the following vulnerability was found:
Lotus Domino Username Enumeration Vulnerability
THREAT
An issue was reported in Lotus Domino server, which could allow for remote users to determine the validity of a username existing on a host. When a remote user submits a GET request for a possible user’s account, the server response assists the user in determining the validity of the username submitted. If the submitted username is valid, the server replies with an HTTP 200 OK message and the login screen. Alternatively, when the submitted username is not valid (meaning that it does not exist on the system), the server responds with a 404 File not Found message. Because the server responds differently depending on whether or not the username is valid, a remote user can test and enumerate possible usernames.
IMPACT:
If this vulnerability is successfully exploited, remote malicious users can identify valid usernames, which can then be used in further attacks on the vulnerable host.
SOLUTION:
We are not currently aware of any vendor-supplied patches to resolve this issue. Please check Lotus Domino’s Web site for the latest information.
We cannot find any information on this website, or via internet searches, about any possible fixes. Can somebody please point us in the right direction?
Thanks.