SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   IBM Lotus Notes Vendors:   IBM
Lotus Domino Web Server R4 May Disclose Files in the Web Root Directory to Remote Users Via URL Requests Ending With a Question Mark
SecurityTracker Alert ID:  1004694
SecurityTracker URL:  http://securitytracker.com/id/1004694
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 3 2002
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.x
Description:   An information disclosure vulnerability was reported in IBM's Lotus Domino web server. A remote user can view files in the web root directory.

Digisec.org issued a security advisory warning that if there are certain files or custom-made .nsf databases in Domino's web root directory, a remote user can download those files by appending a question mark "?" to the end of the filename in a URL request.

This exploit method has reportedly been confirmed through testing against various file types (e.g., '.tar', '.htm', '.zip').

Domino R5 is apparently not affected by this flaw.

The vendor has reportedly been notified.
Impact:   A remote user can view files located in the web server's document root directory.
Solution:   No solution was available at the time of this entry.

The vendor has reportedly recommended creating a separate directory for the web site files as a workaround.
Vendor URL:  www.lotus.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Tue, 2 Jul 2002 22:19:52 -0700
Subject:  [VulnWatch] Lotus Domino R4 File Retrieval Vulnerability...


------=_NextPart_000_001D_01C22216.96701D30
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit            

 
Lotus Domino R4 Web Server -- File Retreival Vulnerability

 

Digisec.org Security Advisory 

 

Systems affected:

 

Lotus Domino R4 (Versions 4.x) AIX - have not tested other versions/platforms 

 

Risk: High 

Date: July 2, 2002 

 

Legal Notice:

 

This advisory is Copyright (c) 2002 Digisec.org  

 

This advisory may be distributed unmodified, however, you may not modify and distribute (in parts or in it's entirety) without express
 written permission. 

 

Disclaimer:

 

Use this information at your own risk.  Digisec.org is not liable for any damages caused by direct or indirect use of the information
 or functionality provided by this advisory.  Digisec.org bears no responsibility for content or misuse of this advisory or any derivatives
 thereof. 

 

Description: 

 

Lotus Domino Web Server under AIX (have not tested other versions) allows downloading of files in the web root directory (rather than
 referring to the ECLs within the database or the permissions on the file itself).  This does not work on the standard web scripts
 included in Domino such as admin4.nsf, names.nsf, domcfg.nsf, etc.  However, if there are other files or custom-made .nsf databases
 in the server's web root directory, they may be downloaded by appending a "?" at the end of the file name. 

 

Our understanding of this problem is based on the way that Lotus handles documents in the web root directory.  When a request is made
 to a file, the addition of the "?" on the end of the file name acts as a wildcard.  The server doesn't know how to handle this character
 and instead just delivers the entire file rather than trying to parse the file through the web handler.  This was tested with other
 various file types (.tar, .htm, .zip, etc.) all with success.

 

Exploit Information: 

 

http://dominoserver/nameoffile.ext? will get the file "nameoffile.ext".

 

 

Vendor status: 

Lotus was notified about the issue.  They noted that this issue had never been reported and suggested a workaround that appears to
 correct the issue.  Their suggestion was to create a separate directory for the web site files (don't put them in the web root created
 during installation).  Also, the permissions on these files should be appropriately applied.  This vulnerability only appears to
 work on files within the web root directory not in other folders.  This vulnerability is not an issue in R5 (which was tested by
 Lotus).

 

Acknowledgements:

 

Thanks to the following for your support and insight:  Lotus, packetphobia, rabidpacketmonky and j0hnn135.



------=_NextPart_000_001D_01C22216.96701D30--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC