[18468] in bugtraq
Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Mon Jan 8 14:51:01 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0101080812490.26750-100000@mail>
Date: Mon, 8 Jan 2001 08:17:14 -0800
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Summary of responses:
---
From: rjmitchell@columbiaenergygroup.com
I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service
pack 6a) and it did not work. Here is the error message I got:
Error 0
Forbidden - URL containing .. forbidden [don't try to break in]
---
From: "Cristi Dumitrescu" <cristid@chip.ro>
Tried on a Windows NT 4 machine with the same version of Domino and it does
not work.
Telnet session transcript:
GET .nsf/../winnt/win.ini HTTP/1.0
HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried
multi]
GET .nsf/../../winnt/win.ini HTTP/1.0
HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in]
---
From: <rreiner@fscinternet.com>
A few quick followups
1/ this vulnerability is also confirmed on Domino 5.0 (original
release)
2/ this vulnerability is also confirmed on NT4
3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
Linux
---
From: John Cardona <jojaca@senamed.edu.co>
I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
vulnerability.
---
From: TDyson@sybex.com
Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
6a - don't know for sure).
-----------------------------------------
http://TARGETDOMINO/.nsf/../winnt/win.ini
-----------------------------------------
Gives a 404 error
-----------------------------------------
http://TARGETDOMINO/../winnt/win.ini
-----------------------------------------
Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
break in]"
Might be a result configuration options in either Domino or NT. Servers
checked have "Allow HTTP clients to browse databases:" set to NO.
As an aside, I object to announcing such a potentially damaging
vulnerability only 48 hours after the vendor was contacted.
Thom Dyson
Director of Information Services
Sybex, Inc.
---
From: "Philip Wagenaar" <pb.wagenaar@chello.nl>
I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
wasnt able to reproduce the problem
---
From: Carsten.Schuette@hitcon.de
NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
to have this malfunction.
it was possible to get any file instead of NSFs, any suggestions why? could
it be possible to change the partition?
---
Ben Greenbaum
Director of Site Content
SecurityFocus
http://www.securityfocus.com
