Re[2]: UserID and hashed password for Lotus Domino

[Philip Storry <phil () philipstorry net>]

Hello gpedone77,

Saturday, October 19, 2002, 6:20:57 PM, you wrote:

g> I tried this with a site running domino 5.0.7 and it works for
g> log.ntf+++<>.nsf/ and for webadmin.nsf, but not for setupweb.nsf or for
g> names.nsf (at least apparently).
g> On Domino 5.0.9a looks like it does not work... it keeps on giving error 500
g> (or requesting auth, it depends on how long is the junk string)

As I responded to HalbaSus, this was fixed in R5.0.9, by the looks of
it.

It doesn't work for names.nsf because the template that names.nsf uses
is named pubnames.ntf, not names.ntf. The vulnerability is effectively
just confusing the Domino server to return the .ntf equivalent of the
.nsf file name - if the database name and the name of the template
that created it vary, the database will not be vulnerable.

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net