mailing list archives
Re: Lotus Domino password bypass
From: "David Litchfield" <david () nextgenss com>
Date: Mon, 4 Feb 2002 17:33:06 -0000
A security vulnerability has been found in the popular Lotus Domino Web
normal url: http://host.com/log.nsf <---- Request for a passwd
modify url: http://host.com/log.ntf<buff>.snf/
This is a known problem and has already been addressed by Lotus. Regardless,
the .ntf file you're accessing here is a notes template file and is the
model upon which the real log database (.nsf) is based upon. There is
nothing in these template files of worth save for the Domino Web
Administrator template. As anonymous access can be gained to this template
attackers can use some of the functionality to read text files on the system
or enumerate databases. Also of note is cache.dsk. Using the same techinique
attackers can access this cache file which can allow an attacker to
enumerate databases on the remote system.
To protect against this problem install the patch from Lotus. Further, using
Domino Designer set the ACLs on the Web Administrator template to prevent
anonymous access. Please note that in future distributions Lotus has
defaulted the ACLs on webadmin.ntf to prevent access.
p.s. NGSSoftware's DominoScan can be used to determine if your Domino server
is vulnerable to this problem.