Bugtraq mailing list archives

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root

From: Hendrik-Jan Verheij <h.j.verheij () POPIN NL>
Date: Mon, 8 Jan 2001 19:33:58 +0100

Regarding this vulnerability:

The problem seems to exist with all versions of lotus 5.04 and up and even
has been confirmed on 4.6.7 (the latest r4 release)
In a standard windows installation situation the url mentioned by George
Guninski will result in the contents of win.ini being displayed, or the file
being downloadable.
After some testing it becomes apparent that the vulnerability only exists on
the drive where the domino program files reside. This means your system
drive if you haven't changed the installer's defaults.
If one has changed the defaults, an url like
http://yourvictim/.nsf/../lotus/domino/notes.ini will still reveal sensitive
information, be it that e.g. /winnt/repair/sam._ cannot be read anymore as
these files are on your system drive.
Forming urls like /.nsf/../../ directly on the root of the target's
webserver will trigger domino's security rules unless you are trying to back
out of a subdir (http://target.com/directory/.nsf/../../thefileyouwant)

In a sensible environment you will change the installation defaults to where
you have a separate system disk, a program disk and a data disk. In the
event of a shared program / data disk, your notes server.id (which is not
password protected) is still for grabs.

So far this vulnerability has  been confirmed on nt4 / win2000 / s390 /
as400 / linux / solaris. (Not all have been tested by me).

I have to agree with Thom Dyson when it comes to announcing this
vulnerability 48 hours after it's discovery.

regards,

Hendrik-Jan Verheij  http://redheat.org
Hostmaster Popin Internet    +31074 2555660
h.j.verheij () popin nl    http://www.popin.nl
Assimilation is irrelevant, You are futile!

----- Original Message -----
From: "Ben Greenbaum" <bgreenbaum () SECURITYFOCUS COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, January 08, 2001 5:17 PM
Subject: Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files
outside the web root

Summary of responses:

---
From: rjmitchell () columbiaenergygroup com

I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0

(service

pack 6a) and it did not work. Here is the error message I got:

Error 0

Forbidden - URL containing .. forbidden [don't try to break in]

---
From: "Cristi Dumitrescu" <cristid () chip ro>

Tried on a Windows NT 4 machine with the same version of Domino and it

does

not work.
Telnet session transcript:
GET .nsf/../winnt/win.ini HTTP/1.0

HTTP/1.1 404 Not found - file doesn't exist or is read protected [even

tried

multi]


GET .nsf/../../winnt/win.ini HTTP/1.0

HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break

in]


---
From: <rreiner () fscinternet com>

A few quick followups

 1/ this vulnerability is also confirmed on Domino 5.0 (original
release)
 2/ this vulnerability is also confirmed on NT4
 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
Linux

---
From: John Cardona <jojaca () senamed edu co>

I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
vulnerability.

---
From: TDyson () sybex com

Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
6a - don't know for sure).

-----------------------------------------
http://TARGETDOMINO/.nsf/../winnt/win.ini
-----------------------------------------

Gives a 404 error

-----------------------------------------
http://TARGETDOMINO/../winnt/win.ini
-----------------------------------------

Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
break in]"

Might be a result configuration options in either Domino or NT.  Servers
checked have "Allow HTTP clients to browse databases:" set to NO.

As an aside, I object to announcing such a potentially damaging
vulnerability only 48 hours after the vendor was contacted.

Thom Dyson
Director of Information Services
Sybex, Inc.

---
From: "Philip Wagenaar" <pb.wagenaar () chello nl>

I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
wasnt able to reproduce the problem

---
From: Carsten.Schuette () hitcon de

NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
to have this malfunction.

it was possible to get any file instead of NSFs, any suggestions why?

could

it be possible to change the partition?


---



Ben Greenbaum
Director of Site Content
SecurityFocus
http://www.securityfocus.com

Current thread:

Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Georgi Guninski (Jan 05)
- WORKAROUND: Lotus Domino 5.0.5 Web Server vulnerability Leonardo Rodrigues (Jan 09)
- <Possible follow-ups>
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Ben Greenbaum (Jan 08)
  - Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root Georgi Guninski (Jan 08)
  - Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Hendrik-Jan Verheij (Jan 09)
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Stephen Forinash (Jan 08)