Vulnerability Development mailing list archives
Re: Lotus Domino password bypass
From: "David Litchfield" <david () nextgenss com>
Date: Mon, 4 Feb 2002 17:33:06 -0000
Summary ------- A security vulnerability has been found in the popular Lotus Domino Web
server. SNIP
normal url: http://host.com/log.nsf <---- Request for a passwd modify url: http://host.com/log.ntf<buff>.snf/
This is a known problem and has already been addressed by Lotus. Regardless, the .ntf file you're accessing here is a notes template file and is the model upon which the real log database (.nsf) is based upon. There is nothing in these template files of worth save for the Domino Web Administrator template. As anonymous access can be gained to this template attackers can use some of the functionality to read text files on the system or enumerate databases. Also of note is cache.dsk. Using the same techinique attackers can access this cache file which can allow an attacker to enumerate databases on the remote system. To protect against this problem install the patch from Lotus. Further, using Domino Designer set the ACLs on the Web Administrator template to prevent anonymous access. Please note that in future distributions Lotus has defaulted the ACLs on webadmin.ntf to prevent access. Cheers, David Litchfield http://www.ngssoftware.com/ p.s. NGSSoftware's DominoScan can be used to determine if your Domino server is vulnerable to this problem.
Current thread:
- RE: Lotus Domino password bypass Jens H. Christensen (Feb 04)
- <Possible follow-ups>
- Re: Lotus Domino password bypass David Litchfield (Feb 04)
- Lotus Domino password bypass Red Wolf (Feb 04)