Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Lotus Domino Web server vulnerability

From: Sebastien EXT-MICHAUD <Sebastien.EXT-MICHAUD () atofina com>
Date: Fri, 7 Dec 2001 14:23:10 +0100
Tested on :
-----------
LOTUS DOMINO 5.0.5 (french) and LOTUS DOMINO 5.0.8 (french) with http service running.
OS : Windows NT 4.0 sp4

Description :
-------------
With a particular craft URL, an anonymous users can lock the databases accesses. 

Result : Any notes users (even the administrators and the servers) can not access the targeted databases until the 
domino server will be restarted .

Except the fact that this bug induce a DoS on the targeted bases, it can perform a DoS on the entire Domino server, if 
certainty bases are locked. In this case there is no way to stop the Domino server task. The computer need to be 
phisically reboot.

This bug appears when the targeted database is not in-use by the server (so, names.nsf and admin4.nsf are not focused 
here) and requested through a web browser with the database name precess by a " /./ " in the requested URL.  

Note :
---------------
We have warned Lotus on the 11/23/01, but we did not receive any answer from their part.

Exploit :
----------
http://server_adress/directory/./base_name.nsf

Example to lock the WEDADMIN.NSF database : 
http://server/./webadmin.nsf

Example to lock the administrator mailbox : http://server/mail/./administrator.nsf

Sébastien MICHAUD --- Olivier ALLAIRE
I.T. Security engineer
CONIX
Previous By Date Next
Previous By Thread Next

Current thread: