Vulnerability Development mailing list archives
Antwort: Lotus Domino url bypass
From: j.mickerts () gmx net
Date: Mon, 4 Feb 2002 09:35:37 +0100
Hi, this does not work for me. I tested it against Domino 5.0.8 on Windows 2000 SP2 with all actual patches. I get redirected to the login-page. How are your ACLs on the template? Mine do not allow Anonymous or Default any access. Maybe this corrects the issue. I also use SSL to connect, but this should not interfere with the exploit. Maybe you should state version and platform. Kind regards, Jens Mickerts "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar> Gesendet von: gabi () postino8 int prima com ar 04.02.2002 04:30 Bitte antworten an gmaggiot An: vuln-dev () securityfocus com, bugtraq () securityfocus com Kopie: Thema: Lotus Domino url bypass --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti X-te: Febrary 03, 2002 E-mail: gmaggiot () ciudad com ar --------------------------------------------------------------------------- General Info ------------ Problem Type : password protected url bypass Product : Lotus Domino Scope : Remote Risk : High Summary ------- A security vulnerability has been found in the popular Lotus Domino Web server. Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files are protected by password. I discover that is posible to bypass this password if you create a malformed url. Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/ data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here is the goal). Examples: I found a critical and max length. assuming the buffer is: http://host.com/<buffer>/ Critical buffer length: is the minimun buffer length you need to bypass the passwd file. normal url: http://host.com/log.nsf <---- Request for a passwd modify url: http://host.com/log.ntf<buff>.snf/ |-----217 -------| In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be: http://host.com/log.ntf++++++++++++++++++++.nsf/ |-------- 205 -----| If you write a buffer between 219 and 257(higher buffer), you bypass the passwd. modify url: http://host.com/log.ntf<buff>.snf/ |---219 to 257 --|
Current thread:
- Antwort: Lotus Domino url bypass j . mickerts (Feb 04)
- Re: Antwort: Lotus Domino url bypass CT (Feb 04)