[13083] in bugtraq
Re: Lotus Notes HTTP cgi-bin vulnerability: possible workaround
daemon@ATHENA.MIT.EDU (Jens Frank)
Thu Dec 23 15:58:12 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <41256850.002D4F47.00@nsgdbk01.deutsche-boerse.de>
Date: Thu, 23 Dec 1999 09:14:55 +0100
Reply-To: Jens Frank <Jens_Frank@EXCHANGE.DE>
From: Jens Frank <Jens_Frank@EXCHANGE.DE>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
the described workaround does work for Notes-Servers not using CGI at all.
However, there is still a problem with hiding the cgi's in a different
script directory:
GET /cgi-bin/test HTTP/1.0
HTTP/1.1 200 Found
Server: Lotus-Domino/Release-4.6.2a
Date: Thu, 23 Dec 1999 07:58:37 GMT
Content-Base: http://192.168.64.8/CeGeIh/test
Content-Type: text/html
Content-Length: 1841
Notes sends the ,,real'' script directory in the Content-Base-Field of the
header. Using this information, the machine can still be crashed. (tested
successfully)
This is tested with 4.6.2a only since I don't have any other versions.
Gruesse,
jens
- -
Jens Frank, Unix Systems
Deutsche Boerse AG
Fon +49 69 2101 5099
Fax +49 69 2101 3831
