Re[2]: UserID and hashed password for Lotus Domino

From: Philip Storry (philat_private)
Date: Sun Oct 20 2002 - 13:08:13 PDT

Next message: bad bob: "Help with a Clariion 4500 (aka dell fc450) raid array"

Previous message: Dragos Ruiu: "Re: Covert Channels"
In reply to: gpedone77: "Re: UserID and hashed password for Lotus Domino"
Next in thread: Philip Storry: "Re[2]: UserID and hashed password for Lotus Domino"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello gpedone77,

Saturday, October 19, 2002, 6:20:57 PM, you wrote:

g> I tried this with a site running domino 5.0.7 and it works for
g> log.ntf+++<>.nsf/ and for webadmin.nsf, but not for setupweb.nsf or for
g> names.nsf (at least apparently).
g> On Domino 5.0.9a looks like it does not work... it keeps on giving error 500
g> (or requesting auth, it depends on how long is the junk string)

As I responded to HalbaSus, this was fixed in R5.0.9, by the looks of
it.

It doesn't work for names.nsf because the template that names.nsf uses
is named pubnames.ntf, not names.ntf. The vulnerability is effectively
just confusing the Domino server to return the .ntf equivalent of the
.nsf file name - if the database name and the name of the template
that created it vary, the database will not be vulnerable.

-- 
Best regards,
 Philip                            mailto:philat_private

Next message: bad bob: "Help with a Clariion 4500 (aka dell fc450) raid array"
Previous message: Dragos Ruiu: "Re: Covert Channels"
In reply to: gpedone77: "Re: UserID and hashed password for Lotus Domino"
Next in thread: Philip Storry: "Re[2]: UserID and hashed password for Lotus Domino"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 08:26:34 PDT