[18517] in bugtraq
Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Wed Jan 10 12:28:55 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0101100857510.25884-100000@mail>
Date: Wed, 10 Jan 2001 09:04:30 -0800
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Summary of responses to .nsf/../ issue:
---------------------------
From: tschweikle@FIDUCIA.de
Domino is installed in D:\programme\notes, the data-directory
is D:\programme\notes\data (an NT4 box with Domino R4.6.7):
with http://myserver/.nsf/../Programme/notes/data/notes.ini
I might therefore reach notes.ini. But:
Error 404
Not found - file doesn't exist or is read protected [even tried multi]
My second box is Linux with Domino R5.0.6:
installation path is: /opt/lotus/notes. Data is in /local/notesdata
These are different partitions.
Trying
http://myserver2/.nsf/../local/notesdata/notes.ini or
http://myserver2/.nsf/../notesdata/notes.ini or
http://myserver2/.nsf/../notes.ini or
http://myserver2/.nsf/../opt/lotus/notes/license.txt
...
http://myserver2/.nsf/../opt/license.txt
all give the same error:
Error 404
Not found - file doesn't exist or is read protected [even tried multi]
Thus I couldn't confirm your vulnerability. But on the other hand,
both servers are really restrictive in what is allowed to do for
domino. Maybe the error message should read: "... does not have
permission to read this file."
But remarkably there are no log entries telling me one tried to
access an normally inaccessible file. Apache tells me about such
an attempt!
---------------------------------
From: Karl_Rademacher@agl.aon.com
I've been unable to reproduce this on a machine under my control. It just
strips out the .nsf/../ portion of the url and returns the standard "404 File
not found" message. Did you experience anything like that (in other words, am I
doing something wrong?). Here are the particulars of the server in question:
NT4 SP6 with TCP security patches
All forms of NT networking un-installed except the IP stack.
Domino R5.05 running on a non-system partition
HTTP server forces an ssl connect, user authentication and doesn't allow
directory browsing.
I'm thinking that something to do with the directory browsing restriction
is causing the .nsf/../ to be stripped out of the GET request by the server, but
I could be wrong. Still, I don't get the "URL Containing .. Forbidden" message.
Any insights?
----------------------------------------
From: Felix Grushevskiy <fil@viaduk.net>
Version 5.06 (nt4sp6a) is also affected by this
