[18590] in bugtraq
Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi
daemon@ATHENA.MIT.EDU (Kai Rossner)
Fri Jan 12 16:35:02 2001
Message-ID: <20010111151215.23898.qmail@www5>
Date: Thu, 11 Jan 2001 15:12:15 -0000
Reply-To: kai.rossner@CONNECTOR.DE
From: Kai Rossner <kai.rossner@CONNECTOR.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
I can reproduce it with
- domino 5.05 (german) on a win 2k professional
workstation with the netscape navigator 4.75
- domino 5.01 (german) on a win2k server with
the netscape navigator 4.75
I canīt reproduce it with
- domino 4.6x on NT4 server (Intel and Alpha)
- domino 5.0x on NT4 Server (Alpha)
> Summary of responses to .nsf/../ issue:
>
> ---------------------------
> From: tschweikle@FIDUCIA.de
>
> Domino is installed in D:\programme\notes, the
data-directory
> is D:\programme\notes\data (an NT4 box with
Domino R4.6.7):
>
> with
http://myserver/.nsf/../Programme/notes/data/notes.ini
> I might therefore reach notes.ini. But:
>
> Error 404
> Not found - file doesn't exist or is read protected
[even tried multi]
>
> My second box is Linux with Domino R5.0.6:
>
> installation path is: /opt/lotus/notes. Data is
in /local/notesdata
> These are different partitions.
>
> Trying
>
> http://myserver2/.nsf/../local/notesdata/notes.ini or
> http://myserver2/.nsf/../notesdata/notes.ini or
> http://myserver2/.nsf/../notes.ini or
> http://myserver2/.nsf/../opt/lotus/notes/license.txt
> ...
> http://myserver2/.nsf/../opt/license.txt
>
> all give the same error:
>
> Error 404
> Not found - file doesn't exist or is read protected
[even tried multi]
>
>
> Thus I couldn't confirm your vulnerability. But on the
other hand,
> both servers are really restrictive in what is allowed
to do for
> domino. Maybe the error message should read: "...
does not have
> permission to read this file."
>
> But remarkably there are no log entries telling me
one tried to
> access an normally inaccessible file. Apache tells
me about such
> an attempt!
>
> ---------------------------------
> From: Karl_Rademacher@agl.aon.com
> I've been unable to reproduce this on a machine
under my control. It just
> strips out the .nsf/../ portion of the url and returns
the standard "404 File
> not found" message. Did you experience anything
like that (in other words, am I
> doing something wrong?). Here are the particulars
of the server in question:
>
> NT4 SP6 with TCP security patches
> All forms of NT networking un-installed except the
IP stack.
> Domino R5.05 running on a non-system partition
> HTTP server forces an ssl connect, user
authentication and doesn't allow
> directory browsing.
>
> I'm thinking that something to do with the
directory browsing restriction
> is causing the .nsf/../ to be stripped out of the GET
request by the server, but
> I could be wrong. Still, I don't get the "URL
Containing .. Forbidden" message.
> Any insights?
>
>
> ----------------------------------------
> From: Felix Grushevskiy <fil@viaduk.net>
>
> Version 5.06 (nt4sp6a) is also affected by this
>
>
