[24100] in bugtraq
Re: Lotus Domino password bypass
daemon@ATHENA.MIT.EDU (David Litchfield)
Mon Feb 4 19:32:12 2002
Message-ID: <00ba01c1ada2$0336ba30$71e693c3@XU5UDGJMHXJ300>
From: "David Litchfield" <david@nextgenss.com>
To: <vuln-dev@securityfocus.com>, <bugtraq@securityfocus.com>
Date: Mon, 4 Feb 2002 17:33:06 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> Summary
> -------
> A security vulnerability has been found in the popular Lotus Domino Web
server.
SNIP
> normal url: http://host.com/log.nsf <---- Request for a passwd
> modify url: http://host.com/log.ntf<buff>.snf/
This is a known problem and has already been addressed by Lotus. Regardless,
the .ntf file you're accessing here is a notes template file and is the
model upon which the real log database (.nsf) is based upon. There is
nothing in these template files of worth save for the Domino Web
Administrator template. As anonymous access can be gained to this template
attackers can use some of the functionality to read text files on the system
or enumerate databases. Also of note is cache.dsk. Using the same techinique
attackers can access this cache file which can allow an attacker to
enumerate databases on the remote system.
To protect against this problem install the patch from Lotus. Further, using
Domino Designer set the ACLs on the Web Administrator template to prevent
anonymous access. Please note that in future distributions Lotus has
defaulted the ACLs on webadmin.ntf to prevent access.
Cheers,
David Litchfield
http://www.ngssoftware.com/
p.s. NGSSoftware's DominoScan can be used to determine if your Domino server
is vulnerable to this problem.
