Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 8 Jan 2001 21:49:35 +0200

Lotus wrote to me they have been able to reproduce the vulnerability and shall fix it in
an upcomming release.

Georgi Guninski

Ben Greenbaum wrote:

Summary of responses:

From: rjmitchell () columbiaenergygroup com

I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service
pack 6a) and it did not work. Here is the error message I got:

Error 0

Forbidden - URL containing .. forbidden [don't try to break in]

From: "Cristi Dumitrescu" <cristid () chip ro>

Tried on a Windows NT 4 machine with the same version of Domino and it does
not work.
Telnet session transcript:
GET .nsf/../winnt/win.ini HTTP/1.0

HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried

GET .nsf/../../winnt/win.ini HTTP/1.0

HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in]

From: <rreiner () fscinternet com>

A few quick followups

 1/ this vulnerability is also confirmed on Domino 5.0 (original
 2/ this vulnerability is also confirmed on NT4
 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on

From: John Cardona <jojaca () senamed edu co>

I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same

From: TDyson () sybex com

Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
6a - don't know for sure).


Gives a 404 error


Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
break in]"

Might be a result configuration options in either Domino or NT.  Servers
checked have "Allow HTTP clients to browse databases:" set to NO.

As an aside, I object to announcing such a potentially damaging
vulnerability only 48 hours after the vendor was contacted.

Thom Dyson
Director of Information Services
Sybex, Inc.

From: "Philip Wagenaar" <pb.wagenaar () chello nl>

I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
wasnt able to reproduce the problem

From: Carsten.Schuette () hitcon de

NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
to have this malfunction.

it was possible to get any file instead of NSFs, any suggestions why? could
it be possible to change the partition?


Ben Greenbaum
Director of Site Content

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]