[24093] in bugtraq
Re: Lotus Domino password bypass
daemon@ATHENA.MIT.EDU (Chad Loder)
Mon Feb 4 17:19:58 2002
Message-Id: <5.1.0.14.2.20020204120300.03b1e978@pop-server.socal.rr.com>
Date: Mon, 04 Feb 2002 12:23:22 -0800
To: gmaggiot@ciudad.com.ar
From: Chad Loder <chad@rapid7.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <3C5E072D.29FA57FB@ciudad.com.ar>
Mime-Version: 1.0
Content-Type: multipart/signed;
boundary="=====--==-====---=--==-==-=--=------------==--=-";
protocol="application/pgp-signature"; micalg=pgp-md5
--=====--==-====---=--==-==-=--=------------==--=-
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
We've reproduced this on Domino 5.0.8 and earlier. Domino
version 5.0.9 does NOT appear to be vulnerable (it gives
an Error 500 Unable to Process Request).
I seem to remember another variant of this vulnerability
having been reported before. However I can't find the URL
for the advisory (it might have been David Litchfield
from NextGenSS) -- the reason I think so is because Lotus
fixed a whole slew of template access problems in 5.0.9
(apparently including this one).
As far as I can tell, this vulnerability only allows you to
access the design template (.ntf), not the database itself
(.nsf).
However, access to the webadmin.ntf template in particular
can be very dangerous. As David Litchfield reported last year
(yes I'm sure it was him this time :-), attackers can use that
template to read files on the Domino system. So this bug may
provide another way to get at the web admin template. See the
following for more information:
http://www.securityfocus.com/bid/3491
We have added a check for this URL variant to NeXpose,
our security scanner. Visit http://www.rapid7.com to
learn more and to download.
Gabriel Maggiotti wrote:
>---------------------------------------------------------------------------
>Web: http://qb0x.net Author: Gabriel A. Maggiotti
>Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar
>---------------------------------------------------------------------------
>
>
>General Info
>------------
>Problem Type : password protected url bypass
>Product : Lotus Domino
>Scope : Remote
>Risk : High
>
Chad Loder <chad@rapid7.com>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>
--=====--==-====---=--==-==-=--=------------==--=-
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: PGP 7.0.1
iQCVAwUBPF7tuk+oRrerFocZAQEZ6QP8Dz8rvAd8Y28IAdjHCYtjI69TmWV11bZF
fQpYfm+PGM9MBeyYxxYLpaplvsUWDjYAe9aHHoPtD3JtTxCGPPEC5aIKy6ShwuKd
kX7acOd9G3w3qSwkmgoU2RJgg67FPZGD+HW10rB2y/znw2op+j9Dd2JWQbXEhi3n
1Bsa+6Q7+fo=
=Eql0
-----END PGP MESSAGE-----
--=====--==-====---=--==-==-=--=------------==--=---
