mailing list archives
Re : Lotus Domino password bypass
From: Nicolas Gregoire <ngregoire () exaprobe com>
Date: Mon, 04 Feb 2002 18:57:23 +0100
04/02/2002 04:00:52, "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar> wrote :
A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files
are protected by password. I discover that is posible to bypass this password
if you create a malformed url.
Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here
is the goal).
My 0.2 Euros :
- this problem is (quite) old news and is described in details in a David Litchfield paper.
This file can be downloaded at http://www.nextgenss.com/hpdws.zip
- you have (a little) mis-understood the problem.
Quoted from the "Hackproofing Lotus Domino Web Server" doc :
"Another method of tricking Domino into opening the Web Administrator template is
through the use of buffer truncation. By making the following request
access to webadmin.ntf is granted. This works because Domino attempts to protect itself
from buffer overrun attacks and chops a user request down to a safe size. In terms of
events here's what happens. Domino receives the request and converts all the pluses to
spaces and sees it has a .nsf file extention and therefore loads the database parser. The
database parser chops the end off of the request, (thus removing the .nsf) to prevent any
buffer overrun and then looks in the lotus\domino\data directory for the file, webadmin.ntf
<space><space><space>.... which it finds and then opens. Thus again the attacker can
use webadmin.ntf's functionality."
- Re : Lotus Domino password bypass Nicolas Gregoire (Feb 04)