[24170] in bugtraq
Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service
daemon@ATHENA.MIT.EDU (Nicolas Gregoire)
Thu Feb 7 15:55:40 2002
From: Nicolas Gregoire <ngregoire@exaprobe.com>
To: bugtraq@securityfocus.com
Date: Thu, 07 Feb 2002 18:32:15 +0100
In-Reply-To: <001101c1ad84$15bc39f0$1f00a8c0@KPMGIRMPGRUNDL>
Message-Id: <93WSD072LQLA5GAWR8552GW1YOMK.3c62ba1f@NICOLAS>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
04/02/2002 14:58:55, Peter Gründl <pgrundl@kpmg.dk> wrote :
>A request for a DOS-device from CGI-BIN with any given extension
>is accepted by the server as a valid request and is passed on
>the to cgihandler (nhttpcgi.exe).
I've played a little bit with a Lotus Domino server (version 5.0.8) on Windows 2000 and
with NoBanner set to 1.
I've found two strange behaviours :
1°)
When the requested script has a ".pl" extension, the physical path of the file is revealed.
This allow us to identify (in this case) a Windows version.
Quick cut-and-paste of the result page :
======8<==========================================================
Error 500
Execution of Perl script e:\notes\data\domino\cgi-bin\NUL.pl failed. Error = 2
--------------------------------------------------------------------------------
Lotus-Domino/5.0.8
Content-type: text/html
Error 500
Unable to run CGI program. No such file or directory
--------------------------------------------------------------------------------
Lotus-Domino/5.0.8
======8<==========================================================
I've not investigated why there are two "Error 500 " in this page ....
2°)
Any 500 error code is sent with the banner (here "Lotus-Domino/5.0.8") despite the
NoBanner setting
Nicolas Gregoire
Exaprobe
