Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Lotus Domino password bypass
From: Chad Loder <chad () rapid7 com>
Date: Mon, 04 Feb 2002 12:23:22 -0800

We've reproduced this on Domino 5.0.8 and earlier. Domino
version 5.0.9 does NOT appear to be vulnerable (it gives
an Error 500 Unable to Process Request).

I seem to remember another variant of this vulnerability
having been reported before. However I can't find the URL
for the advisory (it might have been David Litchfield
from NextGenSS) -- the reason I think so is because Lotus
fixed a whole slew of template access problems in 5.0.9
(apparently including this one).

As far as I can tell, this vulnerability only allows you to
access the design template (.ntf), not the database itself

However, access to the webadmin.ntf template in particular
can be very dangerous.  As David Litchfield reported last year
(yes I'm sure it was him this time :-), attackers can use that
template to read files on the Domino system. So this bug may
provide another way to get at the web admin template. See the
following for more information:


We have added a check for this URL variant to NeXpose,
our security scanner. Visit http://www.rapid7.com to
learn more and to download.

Gabriel Maggiotti wrote:
Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002                  E-mail: gmaggiot () ciudad com ar

General Info
Problem Type    :  password protected url bypass
Product         :  Lotus Domino
Scope           :  Remote
Risk            :  High

Chad Loder <chad () rapid7 com>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]