Lucene search
HistoryNov 03, 2005 - 12:00 a.m.
HCL / IBM / Lotus Domino Administration Databases Accessible (HTTP)

2005-11-0300:00:00
plugins.openvas.org
192
6.6 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
83.0%
JSON
This script determines if some default Lotus Domino databases
can be read remotely.
# SPDX-FileCopyrightText: 2001 Javier Fernández-Sanguino Peña
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:ibm:lotus_domino";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.10629");
  script_version("2023-08-03T05:05:16+0000");
  script_tag(name:"last_modification", value:"2023-08-03 05:05:16 +0000 (Thu, 03 Aug 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_cve_id("CVE-2000-0021", "CVE-2002-0664");

  script_name("HCL / IBM / Lotus Domino Administration Databases Accessible (HTTP)");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2001 Javier Fernández-Sanguino Peña");
  script_family("Web Servers");
  script_dependencies("gb_hcl_domino_consolidation.nasl");
  script_mandatory_keys("hcl/domino/detected");
  script_require_ports("Services/www", 80);

  script_xref(name:"URL", value:"http://www.lotus.com/developers/devbase.nsf/articles/doc1999112200");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/5101");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/881");

  script_tag(name:"summary", value:"This script determines if some default Lotus Domino databases
  can be read remotely.");

  script_tag(name:"vuldetect", value:"Sends various crafted HTTP GET requests and checks the
  responses.");

  script_tag(name:"insight", value:"An anonymous user can retrieve information from this Lotus
  Domino server: users, databases, configuration of servers (including operating system and hard
  disk partitioning), logs of access to users (which could expose sensitive data if GET html forms
  are used).

  These issues are discussed in the references
  'Lotus White Paper: A Guide to Developing Secure Domino Applications' (december 1999).");

  script_tag(name:"solution", value:"Verify all the ACLs for these databases and remove those not
  needed.");

  script_tag(name:"solution_type", value:"Workaround");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("list_array_func.inc");
include("host_details.inc");

function test_cgi( port, url, output ) {

  if( http_is_cgi_installed_ka( port:port, item:url ) ) {

    req = http_get( item:url, port:port );
    res = http_keepalive_send_recv( port:port, data:req );

    if( "Please identify yourself" >!< res &&
        'type="password"' >!< res &&
        "<TITLE>Server Login</TITLE>" >!< res &&
        res !~ ">Domino Administrator.*Help</" ) { # The homepage.nsf is just a default landing page these days...
      vuln_db += '\n' + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + " Reason: This must be considered a security risk since " + output + ".";
      set_kb_item( name: "www/domino/" + port + "/db", value:url );
    } else {
      auth_db += '\n' + http_report_vuln_url( port:port, url:url, url_only:TRUE );
    }
  }
  return( 0 );
}

vuln_db = "";
auth_db = "";

if( ! port = get_app_port( cpe:CPE, service:"www" ) )
  exit( 0 );

if( ! dir = get_app_location( cpe:CPE, port:port ) )
  exit( 0 );

if( dir == "/" )
  dir = "";

urls = make_array( dir + "/catalog.nsf", "the list of databases in the server can be retrieved",
                   dir + "/cersvr.nsf", "the information on the server certificates can be read anonymously",
                   dir + "/domlog.nsf", "the logs of the domain servers  can be read anonymously",
                   dir + "/events4.nsf", "the list of events that have taken place can be read anonymously, this might lead to information disclosure of users and hidden databases",
                   dir + "/log.nsf", "the server log can be retrieved",
                   dir + "/names.nsf", "the users and groups in the server can be accessed anonymously, in some cases, access to the hashed passwords will be possible",
                   dir + "/setup.nsf", "the server might be configured remotely or the current setup might be downloaded",
                   dir + "/statrep.nsf", "the reports generated by administrators can be read anonymously",
                   dir + "/webadmin.nsf", "the server administration database can be read anonymously",
                   dir + "/zmevladm.nsf", "it provides arbitrary users with Manager level access, which allows the users to read or modify the import/export scripts" );

foreach url ( keys( urls ) ) {
  test_cgi( port:port, url:url, output:urls[url] );
}

# We should add more info here on the output: on how this database
# affects the server
foreach url( make_list( "/852566C90012664F", "/account.nsf", "/accounts.nsf",
                        "/admin4.nsf", "/admin5.nsf", "/admin.nsf",
                        "/a_domlog.nsf", "/agentrunner.nsf", "/AgentRunner.nsf",
                        "/alog.nsf", "/archive/a_domlog.nsf", "/archive/l_domlog.nsf",
                        "/bookmark.nsf", "/bookmarks.nsf", "/books.nsf",
                        "/busytime.nsf", "/calendar.nsf", "/certa.nsf",
                        "/certlog.nsf", "/certsrv.nsf", "/clbusy.nsf",
                        "/cldbdir.nsf", "/clusta4.nsf", "/collect4.nsf",
                        "/cpa.nsf", "/da.nsf", "/database.nsf", "/dba4.nsf",
                        "/dbdirman.nsf", "/db.nsf", "/dclf.nsf",
                        "/DEASAppDesign.nsf", "/DEASLog01.nsf", "/DEASLog02.nsf",
                        "/DEASLog03.nsf", "/DEASLog04.nsf", "/DEASLog05.nsf",
                        "/DEASLog.nsf", "/decsadm.nsf", "/decslog.nsf",
                        "/DEESAdmin.nsf", "/default.nsf", "/deslog.nsf",
                        "/dirassist.nsf", "/doc/dspug.nsf", "/doc/helpadmn.nsf",
                        "/doc/javapg.nsf", "/doc/readmec.nsf", "/doc/readmes.nsf",
                        "/doc/svrinst.nsf", "/doc/wksinst.nsf", "/doladmin.nsf",
                        "/domadmin.nsf", "/domcfg.nsf", "/domguide.nsf",
                        "/domino.nsf", "/dspug.nsf", "/event.nsf", "/events5.nsf",
                        "/events.nsf", "/group.nsf", "/groups.nsf", "/help4.nsf",
                        "/help/decsdoc.nsf", "/help/dols_help.nsf", "/help/help5_admin.nsf",
                        "/help/help5_client.nsf", "/help/help5_designer.nsf",
                        "/help/help6_admin.nsf", "/help/help6_client.nsf",
                        "/help/help6_designer.nsf", "/help/lccon.nsf", "/help/lsxlc.nsf",
                        "/helplt4.nsf", "/help/readme.nsf", "/hidden.nsf",
                        "/home.nsf", "/homepage.nsf", "/iNotes/Forms5.nsf",
                        "/iNotes/Forms5.nsf/$DefaultNav", "/jotter.nsf", "/lccon.nsf",
                        "/ldap.nsf", "/l_domlog.nsf", "/leiadm.nsf", "/leilog.nsf",
                        "/leivlt.nsf", "/lndfr.nsf", "/loga4.nsf", "/mab.nsf",
                        "/mail10.box", "/mail1.box", "/mail2.box", "/mail3.box",
                        "/mail4.box", "/mail5.box", "/mail6.box", "/mail7.box",
                        "/mail8.box", "/mail9.box", "/mail/admin.nsf", "/mail.box",
                        "/mailw46.nsf", "/msdwda.nsf", "/mtabtbls.nsf", "/mtatbls.nsf",
                        "/mtstore.nsf", "/nntp/nd000001.nsf", "/nntp/nd000002.nsf",
                        "/nntp/nd000003.nsf", "/nntppost.nsf", "/notes.nsf",
                        "/ntsync45.nsf", "/ntsync4.nsf", "/perweb.nsf",
                        "/private.nsf", "/products.nsf", "/proghelp/KBCCV11.NSF",
                        "/public.nsf", "/qpadmin.nsf", "/qstart.nsf",
                        "/quickplace/quickplace/main.nsf", "/quickstart/qstart50.nsf",
                        "/quickstart/wwsample.nsf", "/reports.nsf", "/sample/faqw46.nsf",
                        "/sample/framew46.nsf", "/sample/siregw46.nsf", "/schema50.nsf",
                        "/secret.nsf", "/secure.nsf", "/setupweb.nsf", "/smbcfg.nsf",
                        "/smconf.nsf", "/smency.nsf", "/smhelp.nsf", "/smmsg.nsf",
                        "/smquar.nsf", "/smsolar.nsf", "/smtime.nsf", "/smtp.box",
                        "/smtpibwq.nsf", "/smtp.nsf", "/smtpobwq.nsf", "/smtptbls.nsf",
                        "/smvlog.nsf", "/software.nsf", "/srvnam.htm", "/statmail.nsf",
                        "/stats675.nsf", "/stauths.nsf", "/stautht.nsf", "/stconfig.nsf",
                        "/stconf.nsf", "/stdnaset.nsf", "/stdomino.nsf", "/stlog.nsf",
                        "/streg.nsf", "/stsrc.nsf", "/user.nsf", "/userreg.nsf", "/users.nsf",
                        "/vpuserinfo.nsf", "/web.nsf", "/webstart.nsf", "/welcome.nsf" ) ) {

  test_cgi( port:port, url:dir + url, output:"this database can be read anonymously" );
}

if( vuln_db ) {
  security_message( port:port, data:'We found the following domino databases:\n' + vuln_db );
}

if( auth_db ) {
  log_message( port:port, data:'\nThe following databases exists but are password-protected:\n' + auth_db );
}

exit( 99 );
References

www.lotus.com/developers/devbase.nsf/articles/doc1999112200
www.securityfocus.com/bid/5101
www.securityfocus.com/bid/881
6.6 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
83.0%
JSON
Related for OPENVAS:136141256231010629