04/02/2002 04:00:52, "Gabriel A. Maggiotti" <gmaggiotat_private> wrote : > Summary > ------- > A security vulnerability has been found in the popular Lotus Domino Web server. > Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files > are protected by password. I discover that is posible to bypass this password > if you create a malformed url. > Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/ > data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here > is the goal). My 0.2 Euros : - this problem is (quite) old news and is described in details in a David Litchfield paper. This file can be downloaded at http://www.nextgenss.com/hpdws.zip - you have (a little) mis-understood the problem. Quoted from the "Hackproofing Lotus Domino Web Server" doc : "Another method of tricking Domino into opening the Web Administrator template is through the use of buffer truncation. By making the following request http://server/webadmin.ntf++++++_250_pluses+++++.nsf/ access to webadmin.ntf is granted. This works because Domino attempts to protect itself from buffer overrun attacks and chops a user request down to a safe size. In terms of events here's what happens. Domino receives the request and converts all the pluses to spaces and sees it has a .nsf file extention and therefore loads the database parser. The database parser chops the end off of the request, (thus removing the .nsf) to prevent any buffer overrun and then looks in the lotus\domino\data directory for the file, webadmin.ntf <space><space><space>.... which it finds and then opens. Thus again the attacker can use webadmin.ntf's functionality." Nicob
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 15:35:28 PST