[18471] in bugtraq
Re: Lotus Domino 5.0.5 Web Server vulnerability - reading
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Mon Jan 8 17:48:01 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <3A5A19CF.988951C6@guninski.com>
Date: Mon, 8 Jan 2001 21:49:35 +0200
Reply-To: Georgi Guninski <guninski@GUNINSKI.COM>
From: Georgi Guninski <guninski@GUNINSKI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Lotus wrote to me they have been able to reproduce the vulnerability and shall fix it in
an upcomming release.
Georgi Guninski
Ben Greenbaum wrote:
>
> Summary of responses:
>
> ---
> From: rjmitchell@columbiaenergygroup.com
>
> I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service
> pack 6a) and it did not work. Here is the error message I got:
>
> Error 0
>
> Forbidden - URL containing .. forbidden [don't try to break in]
>
> ---
> From: "Cristi Dumitrescu" <cristid@chip.ro>
>
> Tried on a Windows NT 4 machine with the same version of Domino and it does
> not work.
> Telnet session transcript:
> GET .nsf/../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried
> multi]
>
> GET .nsf/../../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in]
>
> ---
> From: <rreiner@fscinternet.com>
>
> A few quick followups
>
> 1/ this vulnerability is also confirmed on Domino 5.0 (original
> release)
> 2/ this vulnerability is also confirmed on NT4
> 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
> Linux
>
> ---
> From: John Cardona <jojaca@senamed.edu.co>
>
> I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
> vulnerability.
>
> ---
> From: TDyson@sybex.com
>
> Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
> 6a - don't know for sure).
>
> -----------------------------------------
> http://TARGETDOMINO/.nsf/../winnt/win.ini
> -----------------------------------------
>
> Gives a 404 error
>
> -----------------------------------------
> http://TARGETDOMINO/../winnt/win.ini
> -----------------------------------------
>
> Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
> break in]"
>
> Might be a result configuration options in either Domino or NT. Servers
> checked have "Allow HTTP clients to browse databases:" set to NO.
>
> As an aside, I object to announcing such a potentially damaging
> vulnerability only 48 hours after the vendor was contacted.
>
> Thom Dyson
> Director of Information Services
> Sybex, Inc.
>
> ---
> From: "Philip Wagenaar" <pb.wagenaar@chello.nl>
>
> I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
> wasnt able to reproduce the problem
>
> ---
> From: Carsten.Schuette@hitcon.de
>
> NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
> to have this malfunction.
>
> it was possible to get any file instead of NSFs, any suggestions why? could
> it be possible to change the partition?
>
> ---
>
> Ben Greenbaum
> Director of Site Content
> SecurityFocus
> http://www.securityfocus.com
