Lotus Domino vulnerable to directory traversal, aka "Domino Server Directory Transversal Vulnerability"

Overview

Lotus Domino web server may allow malformed URL requests to access files outside the document root of a vulnerable system.

Description

A Lotus Domino server running the HTTP task may permit an intruder to read files on file systems or drives that house Lotus Notes databases. By using a specially crafted URL containing “…” and the name of an existing file, an intruder may be able to cause a Domino server to return the contents of the file to the intruder over the HTTP connection. If this file contains sensitive information, an intruder may be able to leverage that information to gain additional access.

---

Impact

Intruders can read files outside the normal web root of a Domino server.

---

Solution

Lotus plans on releasing a new version (R5.0.6a) which addresses this problem as soon as possible. See <http://www.lotus.com/security&gt; for more details. According to Lotus, the SPR (Software Problem Report) number is KSPR4SPQ5S. When an SPR is fixed, it is posted in the Fix List database on Notes.net. In the meantime, a workaround is possible by using the URL redirection feature of Domino.

---

Redirect URLs of the form … to a harmless location or an error page. See the <http://www.lotus.com/security&gt; for details or consult your Domino documentation.

---

Vendor Information

590487

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Lotus __ Affected

Notified: January 06, 2000 Updated: January 10, 2001

Status

Affected

Vendor Statement

Lotus Notes Domino R4.x is not vulnerable to this issue.

Lotus Notes Domino R5.x is vulnerable to this issue.

Additional notes:

What is the nature of the vulnerability? Given a known path and file name, files can accessed from the Domino server. This is limited to the file system (or drive) that the Domino server is installed on. It is not possible to browse the file system, but if a file name can be correctly guessed at, it can be accessed.
What versions of Domino are affected? R5.0 - R5.06 on all operating system platforms (this includes products running on Domino R5.x as the web server) R4x is not affected
How can I track this issue? The SPR (Software Problem Report) number is KSPR4SPQ5S. Issues can be tracked via the Fix List database on Notes.net --> ``<http://www.notes.net/R5FixList.nsf>``
Are there workarounds available? There are several measures that can be taken to reduce, but not completely eliminate, the risk of this vulnerability. A code fix is currently in progress and will be made available shortly.
To address the specific issue documented in the advisory, File Protection documents can be used. However, it does not address some related issues. The planned QMU will be required to address this issue completely.
In the Domino Directory, select the server document and click Web/Create File Protection. On the Basics tab, in the path field, specify the following extensions (one document for each path)
/.nsf/../ /.ns4/../ /.box/../
On the Access Control tab, specify Default as No Access.
Other steps to minimize risk: Limit files stored on the file system where Domino is installed Password protect the server id Locally encrypt system databases (and other databases with easily guessable file names) with the server's id Rename the server id to something other than server.id Rename the notes.ini file and launch the server specifying the notes.ini file
What are Lotus' plans to address this issue? Lotus is treating this with the highest priority and has a fix being tested now. The release number will be R5.0.6a and it will be posted to ``<http://notes.net>`` as soon as it is available. We are currently targeting the end of this week (13-Jan-01).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We are aware of public reports that Notes/Domino 4 is also vulnerable to this issue. We have not been able to reproduce that behavior. Additionally, our conversations with Lotus indicate they are aware of the reports as well, but likewise do not believe that version 4 is affected. We will continue investigating.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23590487 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.lotus.com/security&gt;
• <http://www.notes.net/R5FixList.nsf&gt;
• <http://www.guninski.com/lotus1.html&gt;
• <http://www.securityfocus.com/bid/2173&gt;

Acknowledgements

The CERT/CC would like to acknowledge Katherine Spanbauer, Senior Product Manager, Notes and Domino Security Lotus Development Corporation for her assistance, and independent researcher Georgi Guninski who discovered this problem.

This document was written by Jeffrey S Havrilla and Shawn Hernan.

Other Information

CVE IDs:	CVE-2001-0009
Severity Metric:	21.60 Date Public: