Vulnerability Development mailing list archives
Re[2]: UserID and hashed password for Lotus Domino
From: Philip Storry <phil () philipstorry net>
Date: Sun, 20 Oct 2002 21:08:13 +0100
Hello gpedone77, Saturday, October 19, 2002, 6:20:57 PM, you wrote: g> I tried this with a site running domino 5.0.7 and it works for g> log.ntf+++<>.nsf/ and for webadmin.nsf, but not for setupweb.nsf or for g> names.nsf (at least apparently). g> On Domino 5.0.9a looks like it does not work... it keeps on giving error 500 g> (or requesting auth, it depends on how long is the junk string) As I responded to HalbaSus, this was fixed in R5.0.9, by the looks of it. It doesn't work for names.nsf because the template that names.nsf uses is named pubnames.ntf, not names.ntf. The vulnerability is effectively just confusing the Domino server to return the .ntf equivalent of the .nsf file name - if the database name and the name of the template that created it vary, the database will not be vulnerable. -- Best regards, Philip mailto:phil () philipstorry net
Current thread:
- UserID and hashed password for Lotus Domino Casper Gio (Oct 18)
- Re: UserID and hashed password for Lotus Domino Nicolas Gregoire (Oct 18)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 18)
- Re: UserID and hashed password for Lotus Domino Philip Storry (Oct 18)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- Message not available
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 23)
- Re: UserID and hashed password for Lotus Domino Nicolas Gregoire (Oct 18)
- Re: UserID and hashed password for Lotus Domino HalbaSus (Oct 20)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- <Possible follow-ups>
- Re: UserID and hashed password for Lotus Domino Valgasu (Oct 18)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- Re: UserID and hashed password for Lotus Domino jeff (Oct 22)