Bugtraq mailing list archives

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root

From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Mon, 8 Jan 2001 21:49:35 +0200

Lotus wrote to me they have been able to reproduce the vulnerability and shall fix it in
an upcomming release.

Georgi Guninski

Ben Greenbaum wrote:


Summary of responses:

---
From: rjmitchell () columbiaenergygroup com

I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0 (service
pack 6a) and it did not work. Here is the error message I got:

Error 0

Forbidden - URL containing .. forbidden [don't try to break in]

---
From: "Cristi Dumitrescu" <cristid () chip ro>

Tried on a Windows NT 4 machine with the same version of Domino and it does
not work.
Telnet session transcript:
GET .nsf/../winnt/win.ini HTTP/1.0

HTTP/1.1 404 Not found - file doesn't exist or is read protected [even tried
multi]

GET .nsf/../../winnt/win.ini HTTP/1.0

HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break in]

---
From: <rreiner () fscinternet com>

A few quick followups

 1/ this vulnerability is also confirmed on Domino 5.0 (original
release)
 2/ this vulnerability is also confirmed on NT4
 3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
Linux

---
From: John Cardona <jojaca () senamed edu co>

I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
vulnerability.

---
From: TDyson () sybex com

Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
6a - don't know for sure).

-----------------------------------------
http://TARGETDOMINO/.nsf/../winnt/win.ini
-----------------------------------------

Gives a 404 error

-----------------------------------------
http://TARGETDOMINO/../winnt/win.ini
-----------------------------------------

Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
break in]"

Might be a result configuration options in either Domino or NT.  Servers
checked have "Allow HTTP clients to browse databases:" set to NO.

As an aside, I object to announcing such a potentially damaging
vulnerability only 48 hours after the vendor was contacted.

Thom Dyson
Director of Information Services
Sybex, Inc.

---
From: "Philip Wagenaar" <pb.wagenaar () chello nl>

I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
wasnt able to reproduce the problem

---
From: Carsten.Schuette () hitcon de

NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
to have this malfunction.

it was possible to get any file instead of NSFs, any suggestions why? could
it be possible to change the partition?

---

Ben Greenbaum
Director of Site Content
SecurityFocus
http://www.securityfocus.com

Current thread:

Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Georgi Guninski (Jan 05)
- WORKAROUND: Lotus Domino 5.0.5 Web Server vulnerability Leonardo Rodrigues (Jan 09)
- <Possible follow-ups>
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Ben Greenbaum (Jan 08)
  - Re: Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root Georgi Guninski (Jan 08)
  - Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Hendrik-Jan Verheij (Jan 09)
- Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root Stephen Forinash (Jan 08)