Lotus Domino HTTP Anonymous CGI Access

1999-12-21T00:00:00
ID OSVDB:3327
Type osvdb
Reporter OSVDB
Modified 1999-12-21T00:00:00

Description

Vulnerability Description

Lotus Domino HTTP Service contains a flaw that may allow a malicious user to gain inappropriate access to the cgi-bin directory. The issue is triggered when anonymous access to the cgi-bin directory is disabled. It is possible that the flaw may allow anonymous access to cgi-bin even when it has been turned off resulting in a loss of confidentiality.

Technical Description

The Domino configuration allows the administrator to disallow anonymous access to the HTTP server. However, when anonymous access is disallowed the cgi-bin directory is still available to anonymous browsers.

This was not addressed in the 4.x Domino servers.

Solution Description

Upgrade to version 5.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

Redirect CGI handling as specified in the Lotus BUGTRAQ post:

  • If the customer does not require the use of any CGI's, then the entire /cgi-bin directory can be redirected to another URL (a Notes database, or html file). If any "/cgi-bin" requests are made, they will be directed to this URL and are not processed as CGI.

  • If the customer does require the use of CGI's the following setup will be required: 1) In the HTTP section of the Server Document, change the "CGI URL path" field to a different URL path. This does not require a change for the "CGI directory" field, such that the location on the hard drive for CGI's will remain the same. Only the URL which invokes CGI's will be altered.

Example: The default CGI URL path is "/cgi-bin"; change this to "/scripts/cgi-bin". Now, whenever a /cgi-bin request is made, it is recognized as a URL instead of a CGI.

2) Create a URL Redirect document in the DOMCFG.NSF for each specific CGI that resides on the server. Specify the incoming URL path as "/cgi-bin", and the redirection URL as "/scripts/cgi-bin".

Short Description

Lotus Domino HTTP Service contains a flaw that may allow a malicious user to gain inappropriate access to the cgi-bin directory. The issue is triggered when anonymous access to the cgi-bin directory is disabled. It is possible that the flaw may allow anonymous access to cgi-bin even when it has been turned off resulting in a loss of confidentiality.

References:

Related OSVDB ID: 50 Related OSVDB ID: 51 Other Solution URL: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0476.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0404.html ISS X-Force ID: 4390 CVE-2000-0022 Bugtraq ID: 881