Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root

Mon, 08 Jan 2001 12:27:02 -0800 

Summary of responses:

---
From: [EMAIL PROTECTED]

I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service
pack 6a) and it did not work. Here is the error message I got:

Error 0

Forbidden - URL containing .. forbidden [don't try to break in]

---
From: "Cristi Dumitrescu" <[EMAIL PROTECTED]>

Tried on a Windows NT 4 machine with the same version of Domino and it does
not work.
Telnet session transcript:
GET .nsf/../winnt/win.ini HTTP/1.0

HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried
multi]


GET .nsf/../../winnt/win.ini HTTP/1.0

HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in]

---
From: <[EMAIL PROTECTED]>

A few quick followups

 1/ this vulnerability is also confirmed on Domino 5.0 (original
release)
 2/ this vulnerability is also confirmed on NT4
 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
Linux

---
From: John Cardona <[EMAIL PROTECTED]>

I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
vulnerability.

---
From: [EMAIL PROTECTED]

Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
6a - don't know for sure).

-----------------------------------------
http://TARGETDOMINO/.nsf/../winnt/win.ini
-----------------------------------------

Gives a 404 error

-----------------------------------------
http://TARGETDOMINO/../winnt/win.ini
-----------------------------------------

Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
break in]"

Might be a result configuration options in either Domino or NT.  Servers
checked have "Allow HTTP clients to browse databases:" set to NO.

As an aside, I object to announcing such a potentially damaging
vulnerability only 48 hours after the vendor was contacted.

Thom Dyson
Director of Information Services
Sybex, Inc.

---
From: "Philip Wagenaar" <[EMAIL PROTECTED]>

I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
wasnt able to reproduce the problem

---
From: [EMAIL PROTECTED]

NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
to have this malfunction.

it was possible to get any file instead of NSFs, any suggestions why? could
it be possible to change the partition?


---



Ben Greenbaum
Director of Site Content
SecurityFocus
http://www.securityfocus.com

Reply via email to