Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi

[Kai Rossner <kai.rossner () CONNECTOR DE>]

I can reproduce it with

- domino 5.05 (german) on a win 2k professional   
  workstation with the netscape navigator 4.75
- domino 5.01 (german) on a win2k server with
  the netscape navigator 4.75

I can´t reproduce it with

- domino 4.6x on NT4 server (Intel and Alpha)
- domino 5.0x on NT4 Server (Alpha)

> Summary of responses to .nsf/../ issue:
>
> ---------------------------
> From: tschweikle () FIDUCIA de
>
> Domino is installed in D:\programme\notes, the 
data-directory
> is D:\programme\notes\data (an NT4 box with 
Domino R4.6.7):
> with 
http://myserver/.nsf/../Programme/notes/data/notes.ini
> I might therefore reach notes.ini. But:
>
> Error 404
> Not found - file doesn't exist or is read protected 
[even tried multi]
> My second box is Linux with Domino R5.0.6:
>
> installation path is: /opt/lotus/notes. Data is 
in /local/notesdata
> These are different partitions.
>
> Trying
>
> http://myserver2/.nsf/../local/notesdata/notes.ini or
> http://myserver2/.nsf/../notesdata/notes.ini or
> http://myserver2/.nsf/../notes.ini or
> http://myserver2/.nsf/../opt/lotus/notes/license.txt
> ...
> http://myserver2/.nsf/../opt/license.txt
>
> all give the same error:
>
> Error 404
> Not found - file doesn't exist or is read protected 
[even tried multi]
> Thus I couldn't confirm your vulnerability. But on the 
other hand,
> both servers are really restrictive in what is allowed 
to do for
> domino. Maybe the error message should read: "... 
does not have
> permission to read this file."
>
> But remarkably there are no log entries telling me 
one tried to
> access an normally inaccessible file. Apache tells 
me about such
> an attempt!
>
> ---------------------------------
> From: Karl_Rademacher () agl aon com
>      I've been unable to reproduce this on a machine 
under my control. It just
> strips out the .nsf/../ portion of the url and returns 
the standard "404 File
> not found" message. Did you experience anything 
like that (in other words, am I
> doing something wrong?). Here are the particulars 
of the server in question:
> NT4 SP6 with TCP security patches
> All forms of NT networking un-installed except the 
IP stack.
> Domino R5.05 running on a non-system partition
> HTTP server forces an ssl connect, user 
authentication and doesn't allow
> directory browsing.
>
>      I'm thinking that something to do with the 
directory browsing restriction
> is causing the .nsf/../ to be stripped out of the GET 
request by the server, but
> I could be wrong. Still, I don't get the "URL 
Containing .. Forbidden" message.
> Any insights?
>
>
> ----------------------------------------
> From: Felix Grushevskiy <fil () viaduk net>
>
> Version 5.06 (nt4sp6a) is also affected by this