[10980] in bugtraq
Re: L0pht 'Domino' Vulnerability is alive and well
daemon@ATHENA.MIT.EDU (mtremblay@BAHNSO.COM)
Fri Jul 9 04:09:16 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <OF1F41152C.BB2E8B6C-ON852567A8.006AB167@bahnso.com>
Date: Thu, 8 Jul 1999 19:37:45 GMT
Reply-To: mtremblay@BAHNSO.COM
From: mtremblay@BAHNSO.COM
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
yep that's all true... yet I feel domino sites are quite secure for many other
reasons...
one of them being that domino is a very proprietary platform and that very few
people know about common commands:
url?open
url?openform
url?openpage
url?opendatabase
notes: www.lotus.com\?open would allow you to list all DBs on the server if not
properly cfg... also note that mail files are almost always in a \mail dir wich
may be accessible by www.lotus.com\mail\?open, also note that mail files are
almost always named by the mail username (wich you can get by any other relevant
mean such as smtp "verfy let'ssaywebmaster") and of type .nsf (as are all other
notes db files)... moreover (and finaly this is my point!!!), there is no such
thing as a "locked" account (am i right, if not, i know for sure that the
"locked" feature is not enable by default), so just have yourself a perl script
that try
www.lotus.com\mail\webmaster.nsf?open
with some brute force pcrack, and you're it!
ps: this is fiction to a certain point, as I dont know the syntax of a url wich
would feed the passwd/usern to the above location
flames and applause welcome!!! ;)
