Bugtraq mailing list archives
Re: Lotus Domino password bypass
From: Chad Loder <chad () rapid7 com>
Date: Mon, 04 Feb 2002 12:23:22 -0800
We've reproduced this on Domino 5.0.8 and earlier. Domino version 5.0.9 does NOT appear to be vulnerable (it gives an Error 500 Unable to Process Request). I seem to remember another variant of this vulnerability having been reported before. However I can't find the URL for the advisory (it might have been David Litchfield from NextGenSS) -- the reason I think so is because Lotus fixed a whole slew of template access problems in 5.0.9 (apparently including this one). As far as I can tell, this vulnerability only allows you to access the design template (.ntf), not the database itself (.nsf). However, access to the webadmin.ntf template in particular can be very dangerous. As David Litchfield reported last year (yes I'm sure it was him this time :-), attackers can use that template to read files on the Domino system. So this bug may provide another way to get at the web admin template. See the following for more information: http://www.securityfocus.com/bid/3491 We have added a check for this URL variant to NeXpose, our security scanner. Visit http://www.rapid7.com to learn more and to download. Gabriel Maggiotti wrote:
--------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: Febrary 03, 2002 E-mail: gmaggiot () ciudad com ar --------------------------------------------------------------------------- General Info ------------ Problem Type : password protected url bypass Product : Lotus Domino Scope : Remote Risk : High
Chad Loder <chad () rapid7 com> Principal Engineer Rapid 7, Inc. <http://www.rapid7.com>
Attachment:
_bin
Description:
Current thread:
- Lotus Domino password bypass Gabriel A. Maggiotti (Feb 04)
- Re: Lotus Domino password bypass Chad Loder (Feb 04)
- Re: Lotus Domino password bypass David Litchfield (Feb 04)
- <Possible follow-ups>
- Lotus Domino password bypass Red Wolf (Feb 04)