Bugtraq mailing list archives
Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 8 Jan 2001 21:49:35 +0200
Lotus wrote to me they have been able to reproduce the vulnerability and shall fix it in an upcomming release. Georgi Guninski Ben Greenbaum wrote:
Summary of responses: --- From: rjmitchell () columbiaenergygroup com I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service pack 6a) and it did not work. Here is the error message I got: Error 0 Forbidden - URL containing .. forbidden [don't try to break in] --- From: "Cristi Dumitrescu" <cristid () chip ro> Tried on a Windows NT 4 machine with the same version of Domino and it does not work. Telnet session transcript: GET .nsf/../winnt/win.ini HTTP/1.0 HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried multi] GET .nsf/../../winnt/win.ini HTTP/1.0 HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in] --- From: <rreiner () fscinternet com> A few quick followups 1/ this vulnerability is also confirmed on Domino 5.0 (original release) 2/ this vulnerability is also confirmed on NT4 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on Linux --- From: John Cardona <jojaca () senamed edu co> I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same vulnerability. --- From: TDyson () sybex com Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or 6a - don't know for sure). ----------------------------------------- http://TARGETDOMINO/.nsf/../winnt/win.ini ----------------------------------------- Gives a 404 error ----------------------------------------- http://TARGETDOMINO/../winnt/win.ini ----------------------------------------- Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to break in]" Might be a result configuration options in either Domino or NT. Servers checked have "Allow HTTP clients to browse databases:" set to NO. As an aside, I object to announcing such a potentially damaging vulnerability only 48 hours after the vendor was contacted. Thom Dyson Director of Information Services Sybex, Inc. --- From: "Philip Wagenaar" <pb.wagenaar () chello nl> I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I wasnt able to reproduce the problem --- From: Carsten.Schuette () hitcon de NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem to have this malfunction. it was possible to get any file instead of NSFs, any suggestions why? could it be possible to change the partition? --- Ben Greenbaum Director of Site Content SecurityFocus http://www.securityfocus.com
Current thread:
- Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Georgi Guninski (Jan 05)
- WORKAROUND: Lotus Domino 5.0.5 Web Server vulnerability Leonardo Rodrigues (Jan 09)
- <Possible follow-ups>
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Ben Greenbaum (Jan 08)
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root Georgi Guninski (Jan 08)
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Hendrik-Jan Verheij (Jan 09)
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Stephen Forinash (Jan 08)