Unauthenticated users are able to see the X.509 certs for all users in the system. I think this is a major security flaw.
How do you disable it? I am trying to figure out the exact script that is generating this list. If you already know it save me some digging!!!
All help appreciated
Not really a security flaw per se. The certificates contain the public key for the individual. That should not be a security risk. The whole idea of public keys is that they can be public.
I think the issue is that it exposes your user list which allows for phishing attempts.
For myself, I think that any directory server should not be accessible from outside your organization. If you are setting up users on Zeroshell then you are using it as a directory server and the home screen on it should not be accessible from outside your organization.
Inside your organization having your users visible should not be too big an issue.