The LDAP server in Active Directory in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 responds differently to a failed bind attempt depending on whether the user account exists and is permitted to login, which allows remote malicious users to enumerate valid usernames via a series of LDAP bind requests, as demonstrated by ldapuserenum.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
microsoft windows server_2003 |
||
microsoft windows 2000 - |