Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi
From: Kai Rossner <kai.rossner () CONNECTOR DE>
Date: Thu, 11 Jan 2001 15:12:15 -0000

I can reproduce it with

- domino 5.05 (german) on a win 2k professional   
  workstation with the netscape navigator 4.75
- domino 5.01 (german) on a win2k server with
  the netscape navigator 4.75

I canĀ“t reproduce it with

- domino 4.6x on NT4 server (Intel and Alpha)
- domino 5.0x on NT4 Server (Alpha)

Summary of responses to .nsf/../ issue:

---------------------------
From: tschweikle () FIDUCIA de

Domino is installed in D:\programme\notes, the 
data-directory
is D:\programme\notes\data (an NT4 box with 
Domino R4.6.7):

with 
http://myserver/.nsf/../Programme/notes/data/notes.ini
I might therefore reach notes.ini. But:

Error 404
Not found - file doesn't exist or is read protected 
[even tried multi]

My second box is Linux with Domino R5.0.6:

installation path is: /opt/lotus/notes. Data is 
in /local/notesdata
These are different partitions.

Trying

http://myserver2/.nsf/../local/notesdata/notes.ini or
http://myserver2/.nsf/../notesdata/notes.ini or
http://myserver2/.nsf/../notes.ini or
http://myserver2/.nsf/../opt/lotus/notes/license.txt
...
http://myserver2/.nsf/../opt/license.txt

all give the same error:

Error 404
Not found - file doesn't exist or is read protected 
[even tried multi]


Thus I couldn't confirm your vulnerability. But on the 
other hand,
both servers are really restrictive in what is allowed 
to do for
domino. Maybe the error message should read: "... 
does not have
permission to read this file."

But remarkably there are no log entries telling me 
one tried to
access an normally inaccessible file. Apache tells 
me about such
an attempt!

---------------------------------
From: Karl_Rademacher () agl aon com
     I've been unable to reproduce this on a machine 
under my control. It just
strips out the .nsf/../ portion of the url and returns 
the standard "404 File
not found" message. Did you experience anything 
like that (in other words, am I
doing something wrong?). Here are the particulars 
of the server in question:

NT4 SP6 with TCP security patches
All forms of NT networking un-installed except the 
IP stack.
Domino R5.05 running on a non-system partition
HTTP server forces an ssl connect, user 
authentication and doesn't allow
directory browsing.

     I'm thinking that something to do with the 
directory browsing restriction
is causing the .nsf/../ to be stripped out of the GET 
request by the server, but
I could be wrong. Still, I don't get the "URL 
Containing .. Forbidden" message.
Any insights?


----------------------------------------
From: Felix Grushevskiy <fil () viaduk net>

Version 5.06 (nt4sp6a) is also affected by this




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault