Re[2]: UserID and hashed password for Lotus Domino

[Philip Storry <phil () philipstorry net>]

Hello HalbaSus,

Saturday, October 19, 2002, 1:16:48 PM, you wrote:

H> Hi, I am doing a test for a company also running Lotus Domino. I tried
H> names nsf yet it asks for an authentification. According to 
H> http://packetstormsecurity.nl/0202-exploits/lotus.domino.bypass.txt 
H> there is a way to bypass the authentification by sending a buffer. I did 
H> a quick perl script that would brute force that buffer and I found 
H> something quite interesting.
H> An url like http://www.host.com/log.ntf++++x215+++++++.nsf would get me 
H> the same page as www.host.com/log.nsf (any other buffer would result in 
H> a server error) This gives me the feeling that the exploit does work, 
H> and what I'm actually seeing is log.ntf (not log.nsf) but probably the 2 
H> files are identical... or maybe I'm wrong... anyway, could you, or 
H> somebody else concernet about lotus domino security give me a clue about 
H> all this stuff.

I think you're referring to this vulnerability:
http://www-1.ibm.com/support/docview.wss?rs=1&org=sims&doc=0B0C94EBE9401D7B85256B5A006DECFC

(The URL will probably be wrapped by an MTA somewhere - sorry about
that.)

This is cured in Domino R5.0.9, by the looks of it. Which version of
Domino are you using? Lotus would probably be interested to know if
there's a version after that which is still vulnerable.

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net