Bugtraq mailing list archives

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi

From: Ben Greenbaum <bgreenbaum () SECURITYFOCUS COM>
Date: Wed, 10 Jan 2001 09:04:30 -0800

Summary of responses to .nsf/../ issue:

---------------------------
From: tschweikle () FIDUCIA de

Domino is installed in D:\programme\notes, the data-directory
is D:\programme\notes\data (an NT4 box with Domino R4.6.7):

with http://myserver/.nsf/../Programme/notes/data/notes.ini
I might therefore reach notes.ini. But:

Error 404
Not found - file doesn't exist or is read protected [even tried multi]

My second box is Linux with Domino R5.0.6:

installation path is: /opt/lotus/notes. Data is in /local/notesdata
These are different partitions.

Trying

http://myserver2/.nsf/../local/notesdata/notes.ini or
http://myserver2/.nsf/../notesdata/notes.ini or
http://myserver2/.nsf/../notes.ini or
http://myserver2/.nsf/../opt/lotus/notes/license.txt
...
http://myserver2/.nsf/../opt/license.txt

all give the same error:

Error 404
Not found - file doesn't exist or is read protected [even tried multi]


Thus I couldn't confirm your vulnerability. But on the other hand,
both servers are really restrictive in what is allowed to do for
domino. Maybe the error message should read: "... does not have
permission to read this file."

But remarkably there are no log entries telling me one tried to
access an normally inaccessible file. Apache tells me about such
an attempt!

---------------------------------
From: Karl_Rademacher () agl aon com
     I've been unable to reproduce this on a machine under my control. It just
strips out the .nsf/../ portion of the url and returns the standard "404 File
not found" message. Did you experience anything like that (in other words, am I
doing something wrong?). Here are the particulars of the server in question:

NT4 SP6 with TCP security patches
All forms of NT networking un-installed except the IP stack.
Domino R5.05 running on a non-system partition
HTTP server forces an ssl connect, user authentication and doesn't allow
directory browsing.

     I'm thinking that something to do with the directory browsing restriction
is causing the .nsf/../ to be stripped out of the GET request by the server, but
I could be wrong. Still, I don't get the "URL Containing .. Forbidden" message.
Any insights?


----------------------------------------
From: Felix Grushevskiy <fil () viaduk net>

Version 5.06 (nt4sp6a) is also affected by this

Current thread:

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi Ben Greenbaum (Jan 10)
- <Possible follow-ups>
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading fi Kai Rossner (Jan 12)