First published: Mon Nov 17 2008(Updated: )
The LDAP server in Active Directory in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 responds differently to a failed bind attempt depending on whether the user account exists and is permitted to login, which allows remote attackers to enumerate valid usernames via a series of LDAP bind requests, as demonstrated by ldapuserenum.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Windows 2000 | =sp4 | |
Microsoft Windows | =server_2003-sp2 | |
Microsoft Windows | =server_2003-sp1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.