Regarding this vulnerability:
The problem seems to exist with all versions of lotus 5.04 and up and even
has been confirmed on 4.6.7 (the latest r4 release)
In a standard windows installation situation the url mentioned by George
Guninski will result in the contents of win.ini being displayed, or the file
being downloadable.
After some testing it becomes apparent that the vulnerability only exists on
the drive where the domino program files reside. This means your system
drive if you haven't changed the installer's defaults.
If one has changed the defaults, an url like
http://yourvictim/.nsf/../lotus/domino/notes.ini will still reveal sensitive
information, be it that e.g. /winnt/repair/sam._ cannot be read anymore as
these files are on your system drive.
Forming urls like /.nsf/../../ directly on the root of the target's
webserver will trigger domino's security rules unless you are trying to back
out of a subdir (http://target.com/directory/.nsf/../../thefileyouwant)
In a sensible environment you will change the installation defaults to where
you have a separate system disk, a program disk and a data disk. In the
event of a shared program / data disk, your notes server.id (which is not
password protected) is still for grabs.
So far this vulnerability has been confirmed on nt4 / win2000 / s390 /
as400 / linux / solaris. (Not all have been tested by me).
I have to agree with Thom Dyson when it comes to announcing this
vulnerability 48 hours after it's discovery.
regards,
Hendrik-Jan Verheij http://redheat.org
Hostmaster Popin Internet +31074 2555660
[EMAIL PROTECTED] http://www.popin.nl
Assimilation is irrelevant, You are futile!
----- Original Message -----
From: "Ben Greenbaum" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 08, 2001 5:17 PM
Subject: Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files
outside the web root
> Summary of responses:
>
> ---
> From: [EMAIL PROTECTED]
>
> I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0
(service
> pack 6a) and it did not work. Here is the error message I got:
>
> Error 0
>
> Forbidden - URL containing .. forbidden [don't try to break in]
>
> ---
> From: "Cristi Dumitrescu" <[EMAIL PROTECTED]>
>
> Tried on a Windows NT 4 machine with the same version of Domino and it
does
> not work.
> Telnet session transcript:
> GET .nsf/../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 404 Not found - file doesn't exist or is read protected [even
tried
> multi]
>
>
> GET .nsf/../../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break
in]
>
> ---
> From: <[EMAIL PROTECTED]>
>
> A few quick followups
>
> 1/ this vulnerability is also confirmed on Domino 5.0 (original
> release)
> 2/ this vulnerability is also confirmed on NT4
> 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
> Linux
>
> ---
> From: John Cardona <[EMAIL PROTECTED]>
>
> I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
> vulnerability.
>
> ---
> From: [EMAIL PROTECTED]
>
> Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
> 6a - don't know for sure).
>
> -----------------------------------------
> http://TARGETDOMINO/.nsf/../winnt/win.ini
> -----------------------------------------
>
> Gives a 404 error
>
> -----------------------------------------
> http://TARGETDOMINO/../winnt/win.ini
> -----------------------------------------
>
> Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
> break in]"
>
> Might be a result configuration options in either Domino or NT. Servers
> checked have "Allow HTTP clients to browse databases:" set to NO.
>
> As an aside, I object to announcing such a potentially damaging
> vulnerability only 48 hours after the vendor was contacted.
>
> Thom Dyson
> Director of Information Services
> Sybex, Inc.
>
> ---
> From: "Philip Wagenaar" <[EMAIL PROTECTED]>
>
> I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
> wasnt able to reproduce the problem
>
> ---
> From: [EMAIL PROTECTED]
>
> NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
> to have this malfunction.
>
> it was possible to get any file instead of NSFs, any suggestions why?
could
> it be possible to change the partition?
>
>
> ---
>
>
>
> Ben Greenbaum
> Director of Site Content
> SecurityFocus
> http://www.securityfocus.com
>
