Vulnerability Development mailing list archives

RE: Lotus Domino password bypass

From: "Jens H. Christensen" <jens.christensen () vigilante com>
Date: Mon, 4 Feb 2002 12:38:47 -0500

As I see it, you do not bypass any ACL or password verification.
You only gain access to the templates - providing the acl allows anonymous
access.
The same thing can be achieved by referencing the template by its replica-id
(http://www.securityfocus.com/bid/3491)
The whole issue is the way Domino maps the file extension to a physical
path.
Furthermore the use of buffer truncation to access templates, have already
been pointed out by NGSSoftware
(http://www.nextgenss.com/papers/hpldws.pdf, page 10).
Since templates (usually) only contains design elements and no data, they
are (usually) of limited interest.
However, there might be some interesting functionality (webadmin.ntf) or
information in the template.
But you're still only running as anonymous, and that will most likely
prevent you from doing any of the
'juicy' stuff.

Jens H. Christensen

-----Original Message-----
From: Gabriel A. Maggiotti [mailto:gmaggiot () ciudad com ar]
Sent: 4. februar 2002 05:00
To: vuln-dev () securityfocus com; bugtraq () securityfocus com
Subject: Lotus Domino password bypass

Current thread:

RE: Lotus Domino password bypass Jens H. Christensen (Feb 04)
- <Possible follow-ups>
- Re: Lotus Domino password bypass David Litchfield (Feb 04)
- Lotus Domino password bypass Red Wolf (Feb 04)