IBM Domino ZMerge Database Security Bypass. Vulnerability due to insufficient access control
Reporter | Title | Published | Views | Family All 5 |
---|---|---|---|---|
![]() | CVE-2002-0664 | 4 Oct 200204:00 | – | cve |
![]() | CVE-2002-0664 | 10 Sep 200204:00 | – | cvelist |
![]() | IBM Lotus Domino Administration Databases Anonymous Access | 8 Mar 200100:00 | – | nessus |
![]() | CVE-2002-0664 | 4 Oct 200204:00 | – | nvd |
![]() | HCL / IBM / Lotus Domino Administration Databases Accessible (HTTP) | 3 Nov 200500:00 | – | openvas |
Source | Link |
---|---|
nessus | www.nessus.org/u |
seclists | www.seclists.org/bugtraq/2002/Sep/51 |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(86322);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/06");
script_cve_id("CVE-2002-0664");
script_bugtraq_id(5101);
script_name(english:"IBM Domino ZMerge Database Security Bypass");
script_set_attribute(attribute:"synopsis", value:
"A remote database can be accessed without credentials.");
script_set_attribute(attribute:"description", value:
"The version of IBM Domino (formerly IBM Lotus Domino) running on the
remote host is affected by a security bypass vulnerability due to
insufficient access control list (ACL) settings on the administration
databases for ZMerge. An unauthenticated, remote attacker can exploit
this issue to disclose configuration information about the IBM Domino
server installation or possibly to gain manager level access.
Note that this plugin may report Domino databases without ZMerge, if
the databases are found to be non-password protected.");
# https://www.ibm.com/developerworks/lotus/library/dominowebserver-security/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06aa671b");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Sep/51");
script_set_attribute(attribute:"solution", value:
"Verify all of the ACLs for the available databases.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute: "cvss_score_source", value: "CVE-2002-0664");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/09");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/domino");
script_require_ports("Services/www", 80);
exit(0);
}
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80);
get_kb_item_or_exit("www/domino");
if (!thorough_tests)
{
dbs = make_list(
"admin4.nsf",
"log.nsf",
"names.nsf",
"reports.nsf",
"webadmin.nsf"
);
}
else
{
dbs = make_list(
"account.nsf",
"accounts.nsf",
"admin4.nsf",
"agentrunner.nsf",
"AgentRunner.nsf",
"archive/a_domlog.nsf",
"archive/l_domlog.nsf",
"bookmark.nsf",
"books.nsf",
"busytime.nsf",
"calendar.nsf",
"catalog.nsf",
"cersvr.nsf",
"certlog.nsf",
"certsrv.nsf",
"collect4.nsf",
"cpa.nsf",
"database.nsf",
"db.nsf",
"dbdirman.nsf",
"decsadm.nsf",
"default.nsf",
"doladmin.nsf",
"domcfg.nsf",
"domguide.nsf",
"domino.nsf",
"domlog.nsf",
"events4.nsf",
"group.nsf",
"groups.nsf",
"hidden.nsf",
"iNotes/Forms5.nsf",
"lccon.nsf",
"ldap.nsf",
"lndfr.nsf",
"log.nsf",
"loga4.nsf",
"mab.nsf",
"mail.box",
"mail/admin.nsf",
"mailw46.nsf",
"mtabtbls.nsf",
"name.nsf",
"names.nsf",
"nntppost.nsf",
"notes.nsf",
"ntsync4.nsf",
"private.nsf",
"products.nsf",
"proghelp/KBCCV11.nsf",
"public.nsf",
"qstart.nsf",
"quickstart/qstart50.nsf",
"quickstart/wwsample.nsf",
"reports.nsf",
"sample/faqw46.nsf",
"sample/framew46.nsf",
"secret.nsf",
"secure.nsf",
"setup.nsf",
"smtpibwq.nsf",
"smtpobwq.nsf",
"smtptbls.nsf",
"software.nsf",
"statmail.nsf",
"statrep.nsf",
"statsrep.nsf",
"stats675.nsf",
"user.nsf",
"users.nsf",
"webadmin.nsf",
"welcome.nsf",
"zmevladm.nsf"
);
}
report_dbs = "";
foreach db (dbs)
{
res = http_send_recv3(
method : "GET",
item : "/" + db,
port : port,
exit_on_fail : TRUE
);
if (
"Please identify yourself" >< res[2] ||
'type="password"' >< res[2] ||
preg(pattern:"<title>server login</title>", string:res[2], icase:TRUE, multiline:TRUE) ||
'_QuickPlaceLoginForm' >< res[2] ||
"WWW-Authenticate" >< res[1]
)
{
set_kb_item(name:'www/domino/'+port+'/db/password_protected', value:db);
}
else if (res[0] =~ "200 OK" && (db >< res[2]))
{
set_kb_item(name:'www/domino/' + port + '/db/anonymous_access', value:db);
report_dbs += " " + build_url(qs:"/"+db, port:port) + '\n';
}
}
if (report_dbs)
{
report =
'\nNessus found the following IBM Domino databases that can be accessed' +
'\nwithout credentials :\n' +
'\n' + report_dbs + '\n';
security_report_v4(
port: port,
severity: SECURITY_HOLE,
extra: report
);
}
else audit(AUDIT_LISTEN_NOT_VULN, "IBM Domino", port);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo