February 6th, 2002, 11:37 AM
Bypass Lotus Domino password protected url
A security vulnerability has been found in the popular Lotus Domino Web server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this files
are protected by password. It is discover that is posible to bypass this password
if you create a malformed url.
Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here
is the goal).
There is a critical and max length.
assuming the buffer is: http://host.com//
Critical buffer length: is the minimun buffer length you need to bypass the
normal url: http://host.com/log.nsf .snf/
In the case of log.nsf, is 217 - 12 = 205 '+' and the url will be:
|-------- 205 -----|
If you write a buffer between 219 and 257(higher buffer), you bypass the
modify url: http://host.com/log.ntf.snf/
|---219 to 257 --|
February 6th, 2002, 12:09 PM
I didn't know yet.
thanks for the info. (not that I'm running lotus...)
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
February 6th, 2002, 12:24 PM
I was thinking. Wonder if IBM is going to change it's Lotus line up now that it is embracing Linux on a large scale in it's new line up of servers?
Anyway. Lotus has always been better than Exchange in many respects. At one point IBM could have had more great products. The SmartSuit Millinium Edition office package was realy nice and worked well. As well, the Notes client is fairly robust. It seems IBM is always at the forefront of new technology, or has a good long term product. Then for some unknown reason. Thay always drop the ball. MS is a good example. Big Blue got the shaft from them early on and helped seat MS in the posistion it is today. Go figure.
The COOKIE TUX lives!!!!
Windows NT crashed,I am the Blue Screen of Death.
No one hears your screams.
February 6th, 2002, 02:48 PM
I'm running Domino 5.0.8. I attempted to go to http://domino/log.ntf. I got a password screen. I attempted to go to http://domino/log.ntf++++++++++++++++++++.nsf/. I got a 404 file not found. I attempted to go to http://domino/log.ntf.snf. I still get a 404 file not found.
If I read your post correctly, using such a malformed URL should bypass the password.... I can't duplicate this problem. Is it fixed in 5.0.8?
February 6th, 2002, 02:58 PM
im sorry but im afraid that the version of the software wasnt mentioned in my sources... i too am looking for what version it is.. but i cant find any..
February 6th, 2002, 04:45 PM
Checking my resources on the issue: "the bugtraq". The problem appears on Domino 5.0.8 and earlier , Lotus have been informed and there is a patch for this.