[18502] in bugtraq
Re: bugtraq id 2173 Lotus Domino Server
daemon@ATHENA.MIT.EDU (Hendrik-Jan Verheij)
Tue Jan 9 18:06:29 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_009E_01C07A82.239FDB70"
Message-ID: <00a101c07a79$c20ae7e0$dd010037@delllatitude>
Date: Tue, 9 Jan 2001 21:21:32 +0100
Reply-To: Hendrik-Jan Verheij <h.j.verheij@POPIN.NL>
From: Hendrik-Jan Verheij <h.j.verheij@POPIN.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_009E_01C07A82.239FDB70
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thanks to Ninke Westra for testing this...
The same problem as in my previous post exists in this case
If you append a phoney directory to the url passed on to the webserver =
the exploit will still work, however you have to back out an extra time.
example url:
target.victim.com/nonexistingdir/.nsf/../../fileyouwanttoget=20
This makes the url redirection solution less obvious to guess, but it =
still leaves you vulnerable.
Regards,
Hendrik-Jan Verheij http://redheat.org
Hostmaster Popin Internet +3174 2555770
h.j.verheij@popin.nl http://www.popin.nl
Assimilation is irrelevant, You are futile!
----- Original Message -----=20
From: Alan Bell=20
To: BUGTRAQ@SECURITYFOCUS.COM=20
Sent: Tuesday, January 09, 2001 12:02 PM
Subject: bugtraq id 2173 Lotus Domino Server
Further information on this issue:=20
1) This issue has been reproduced on several versions of domino prior =
to 5.0.5=20
2) My testing has failed to reproduce this issue on Linux and OS/400 =
(AS/400)=20
3) To secure your boxes create 3 file protection documents for each =
server granting no access to the following paths.=20
/.nsf/../=20
/.box/../=20
/.ns4/../=20
the other common domino extensions .ns3 and .ntf do not appear to be =
vulnerable. This is not a Lotus supported solution (as yet) so there may =
be additional similar paths with this behaviour. You should watch =
http://www.notes.net for an upgrade which will probably appear as =
5.0.6a.=20
Alan.
------=_NextPart_000_009E_01C07A82.239FDB70
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Thanks to Ninke Westra for testing=20
this...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The same problem as in my previous post =
exists in=20
this case</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If you append a phoney directory to =
the url=20
passed on to the webserver the exploit will still work, however you have =
to back=20
out an extra time.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>example url:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>target.victim.com/nonexistingdir/.nsf/../../fileyouwanttoget=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>This makes the url redirection =
solution less=20
obvious to guess, but it still leaves you vulnerable.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Regards,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>Hendrik-Jan Verheij <A=20
href=3D"http://redheat.org">http://redheat.org</A><BR>Hostmaster Popin=20
Internet +3174 2555770<BR><A=20
href=3D"mailto:h.j.verheij@popin.nl">h.j.verheij@popin.nl</A> =
<A=20
href=3D"http://www.popin.nl">http://www.popin.nl</A><BR>Assimilation is=20
irrelevant, You are futile!</FONT></DIV></DIV></FONT></DIV></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3DABell@INTEC.CO.UK href=3D"mailto:ABell@INTEC.CO.UK">Alan =
Bell</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3DBUGTRAQ@SECURITYFOCUS.COM=20
=
href=3D"mailto:BUGTRAQ@SECURITYFOCUS.COM">BUGTRAQ@SECURITYFOCUS.COM</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, January 09, 2001 =
12:02=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> bugtraq id 2173 Lotus =
Domino=20
Server</DIV>
<DIV><BR></DIV><BR><FONT face=3Dsans-serif size=3D2>Further =
information on this=20
issue:</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>1) This issue =
has been=20
reproduced on several versions of domino prior to 5.0.5</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2>2) My testing has failed to reproduce this =
issue on=20
Linux and OS/400 (AS/400)</FONT> <BR><FONT face=3Dsans-serif =
size=3D2>3) To secure=20
your boxes create 3 file protection documents for each server granting =
no=20
access to the following paths.</FONT> <BR><BR><FONT face=3Dsans-serif=20
size=3D2>/.nsf/../</FONT> <BR><FONT face=3Dsans-serif =
size=3D2>/.box/../</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2>/.ns4/../</FONT> <BR><BR><FONT=20
face=3Dsans-serif size=3D2>the other common domino extensions .ns3 and =
.ntf do not=20
appear to be vulnerable. This is not a Lotus supported solution (as =
yet) so=20
there may be additional similar paths with this behaviour. You should =
watch=20
http://www.notes.net for an upgrade which will probably appear as=20
5.0.6a.</FONT> <BR><FONT face=3Dsans-serif=20
size=3D2><BR>Alan.</FONT></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_009E_01C07A82.239FDB70--
