Re: Lotus Domino password bypass

[Chad Loder <chad () rapid7 com>]

We've reproduced this on Domino 5.0.8 and earlier. Domino
version 5.0.9 does NOT appear to be vulnerable (it gives
an Error 500 Unable to Process Request).

I seem to remember another variant of this vulnerability
having been reported before. However I can't find the URL
for the advisory (it might have been David Litchfield
from NextGenSS) -- the reason I think so is because Lotus
fixed a whole slew of template access problems in 5.0.9
(apparently including this one).

As far as I can tell, this vulnerability only allows you to
access the design template (.ntf), not the database itself
(.nsf).

However, access to the webadmin.ntf template in particular
can be very dangerous.  As David Litchfield reported last year
(yes I'm sure it was him this time :-), attackers can use that
template to read files on the Domino system. So this bug may
provide another way to get at the web admin template. See the
following for more information:

        http://www.securityfocus.com/bid/3491


We have added a check for this URL variant to NeXpose,
our security scanner. Visit http://www.rapid7.com to
learn more and to download.

Gabriel Maggiotti wrote:
> ---------------------------------------------------------------------------
> Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
> Date: Febrary 03, 2002                  E-mail: gmaggiot () ciudad com ar
> ---------------------------------------------------------------------------
>
>
> General Info
> ------------
> Problem Type    :  password protected url bypass
> Product         :  Lotus Domino
> Scope           :  Remote
> Risk            :  High




Chad Loder <chad () rapid7 com>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>

Attachment: _bin
Description: