[18597] in bugtraq
Re: Lotus Domino: security hole the size of Texas,
daemon@ATHENA.MIT.EDU (Vinci Chou)
Fri Jan 12 16:59:26 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A5ECE0A.917A0D2C@bigfoot.com>
Date: Fri, 12 Jan 2001 17:27:38 +0800
Reply-To: Vinci Chou <Captainbig@BIGFOOT.COM>
From: Vinci Chou <Captainbig@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Lotus has posted the official response at
http://www.lotus.com/home.nsf/welcome/securityzone
or you can go to the page directly at
http://www.lotus.com/developers/itcentral.nsf/F09A97EFEF47030F8525674B00574590/22E3F54E2239EE63852569D2000AD6B6?OpenDocument
Basically, Lotus refuted his claims.
Also, my colleagues have downloaded the netsed program from Michal
Zalewski's web site but we were unable to reproduce what he claimed.
If we modify the user name from UserA to UserB at the initial
connection, we got an authorization failure. If we modify the mailbox
name from mail\UserA.nsf to mail\UserB.nsf after the initial
authorization, we observed that the server returned the *modified*
mailbox name, i.e. mail\UserB.nsf in the response. Also, when you click
on the properties of the mailbox icon, it says mail\UserB.nsf. At this
point, you would have think that you successfully switched to the
mailbox of UserB. However, when you open the mailbox, the actual
content displayed is still that of UserA!
So, what have been changed was only the mailbox name as shown in the
mailbox icon. Michal Zalewski could have been misled to think that he
is accessing the mailbox of UserB.
Vinci
