[10984] in bugtraq
Re: L0pht 'Domino' Vulnerability is alive and well
daemon@ATHENA.MIT.EDU (Ryan Thomas Tecco)
Fri Jul 9 14:19:11 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.4.10.9907091205190.8310-100000@tempest.rs.itd.umich.edu>
Date: Fri, 9 Jul 1999 12:06:51 -0400
Reply-To: Ryan Thomas Tecco <rtecco@UMICH.EDU>
From: Ryan Thomas Tecco <rtecco@UMICH.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <OF1F41152C.BB2E8B6C-ON852567A8.006AB167@bahnso.com>
Even more frightening, head to:
http://domino.siteatlas.com/domino/siteatlas.nsf?Open
for a rather complete listing of worldwide industries, ranging from telco
to hotels, who run Domino...
rt
On Thu, 8 Jul 1999 mtremblay@BAHNSO.COM wrote:
> yep that's all true... yet I feel domino sites are quite secure for many other
> reasons...
> one of them being that domino is a very proprietary platform and that very few
> people know about common commands:
> url?open
> url?openform
> url?openpage
> url?opendatabase
>
> notes: www.lotus.com\?open would allow you to list all DBs on the server if not
> properly cfg... also note that mail files are almost always in a \mail dir wich
> may be accessible by www.lotus.com\mail\?open, also note that mail files are
> almost always named by the mail username (wich you can get by any other relevant
> mean such as smtp "verfy let'ssaywebmaster") and of type .nsf (as are all other
> notes db files)... moreover (and finaly this is my point!!!), there is no such
> thing as a "locked" account (am i right, if not, i know for sure that the
> "locked" feature is not enable by default), so just have yourself a perl script
> that try
>
> www.lotus.com\mail\webmaster.nsf?open
>
> with some brute force pcrack, and you're it!
>
> ps: this is fiction to a certain point, as I dont know the syntax of a url wich
> would feed the passwd/usern to the above location
>
> flames and applause welcome!!! ;)
>
