Bypass Lotus Domino password protected url
A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files
are protected by password. It is discover that is posible to bypass this password
if you create a malformed url.
Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here
is the goal).
There is a critical and max length.
assuming the buffer is: http://host.com//
Critical buffer length: is the minimun buffer length you need to bypass the
normal url: http://host.com/log.nsf .snf/
In the case of log.nsf, is 217 - 12 = 205 '+' and the url will be:
|-------- 205 -----|
If you write a buffer between 219 and 257(higher buffer), you bypass the
modify url: http://host.com/log.ntf.snf/
|---219 to 257 --|